Guardrails Changelog

aws v5.45.0 - Account CMDB now captures Operations and Billing alternate contacts

Thu, 07 May 2026 09:00:00 GMT

_What's new?_ - The `AWS > Account > CMDB` control now captures `AlternateOperationsContact` and `AlternateBillingContact` alongside the existing `AlternateSecurityContact`. These fields are populated from the AWS Account alternate contact API and are available for querying and policy enforcement. Accounts without a contact configured or without sufficient permissions will show `null` for the respective fields.

aws v5.44.0 - Bedrock Policy resource type for AWS Organizations

Wed, 06 May 2026 09:00:00 GMT

_Resource Types_ _Added_ - AWS > Organizations > Bedrock Policy _Control Types_ _Added_ - AWS > Organizations > Bedrock Policy > CMDB - AWS > Organizations > Bedrock Policy > Discovery _Policy Types_ _Added_ - AWS > Organizations > Bedrock Policy > CMDB _Action Types_ _Added_ - AWS > Organizations > Bedrock Policy > Router

aws-quicksight v5.4.1 - Fixed Account Settings Discovery control entering an error state in some accounts

Wed, 06 May 2026 09:00:00 GMT

_Bug fixes_ - Fixed the `AWS > QuickSight > Account Settings > Discovery` control crashing with `TypeError: err.isNotFound is not a function` when the underlying QuickSight API call returned an error such as the account not being subscribed to QuickSight or the caller lacking the required permissions. The control now correctly recognises not-found errors and exits cleanly instead of masking the original AWS error with a JavaScript TypeError.

aws-prevention v5.2.0 - AWS Bedrock prevention objectives and examples

Wed, 06 May 2026 09:00:00 GMT

_Bug fixes_ - Fixed SCP Allow Boundary discovery incorrectly flagging every AWS service as blocked on organizational units that have FullAWSAccess plus deny-only SCPs attached. The discovery control was dropping AWS-managed SCPs (including FullAWSAccess) from its input query, which prevented the FullAWSAccess-aware code paths from running and made every such OU fall into the restrictive-boundary path. - Fixed SCP allow boundary prevention discovery so it updates correctly when SCPs are attached, modified, or detached from an organizational unit, account, or organization root. Also fixed prevention discovery for EC2 account attributes, IAM password policy, S3 public access, SCP deny, RCP deny, and SCP allow boundary so that existing preventions are removed when the underlying AWS configuration is cleared. _Prevention Objectives_ _Added_ - Enforce VPC endpoint for AWS Bedrock invocations - Enforce approved foundation models for AWS Bedrock - Restrict AWS Bedrock Marketplace model endpoints to approved vendors - Restrict AWS Bedrock agent action groups to approved sources - Restrict AWS Bedrock third-party knowledge bases to approved secret ARNs _Prevention Examples_ _Added_ - Enforce approved foundation models for AWS Bedrock agents - Require VPC endpoint for AWS Bedrock invocations - Require approved foundation models for AWS Bedrock invocations - Restrict AWS Bedrock Marketplace model endpoints - Restrict AWS Bedrock agent action groups to approved sources - Restrict AWS Bedrock third-party knowledge base integrations to approved secret ARNs

aws-bedrock v5.6.0 - Action Group and Guardrail resource types

Wed, 06 May 2026 09:00:00 GMT

_Resource Types_ _Added_ - AWS > Bedrock > Action Group - AWS > Bedrock > Guardrail _Control Types_ _Added_ - AWS > Bedrock > Action Group > Allowed - AWS > Bedrock > Action Group > Allowed > Custom - AWS > Bedrock > Action Group > CMDB - AWS > Bedrock > Action Group > Discovery - AWS > Bedrock > Guardrail > Allowed - AWS > Bedrock > Guardrail > Allowed > Custom - AWS > Bedrock > Guardrail > Allowed > Region - AWS > Bedrock > Guardrail > CMDB - AWS > Bedrock > Guardrail > Discovery - AWS > Bedrock > Guardrail > Tags _Policy Types_ _Added_ - AWS > Bedrock > Action Group > Allowed - AWS > Bedrock > Action Group > Allowed > Custom - AWS > Bedrock > Action Group > Allowed > Custom > Rules - AWS > Bedrock > Action Group > CMDB - AWS > Bedrock > Action Group > Regions - AWS > Bedrock > Guardrail > Allowed - AWS > Bedrock > Guardrail > Allowed > Custom - AWS > Bedrock > Guardrail > Allowed > Custom > Rules - AWS > Bedrock > Guardrail > Allowed > Region - AWS > Bedrock > Guardrail > Allowed > Region > Regions - AWS > Bedrock > Guardrail > CMDB - AWS > Bedrock > Guardrail > Regions - AWS > Bedrock > Guardrail > Tags - AWS > Bedrock > Guardrail > Tags > Template _Action Types_ _Added_ - AWS > Bedrock > Action Group > Delete - AWS > Bedrock > Action Group > Delete from AWS - AWS > Bedrock > Action Group > Router - AWS > Bedrock > Guardrail > Delete - AWS > Bedrock > Guardrail > Delete from AWS - AWS > Bedrock > Guardrail > Router - AWS > Bedrock > Guardrail > Set Tags - AWS > Bedrock > Guardrail > Skip alarm for Tags control - AWS > Bedrock > Guardrail > Skip alarm for Tags control [90 days] - AWS > Bedrock > Guardrail > Update Tags

gcp v5.36.0 - Added policy to support Workload Identity Federation for organizations

Tue, 05 May 2026 09:00:00 GMT

_What's new?_ - Added the `GCP > Workload Identity Pool Provider` policy type, which stores the WIF Pool Provider resource name to support Workload Identity Federation for GCP Organizations.

aws-msk v5.8.3 - Fixed Allowed Regions [Default] policy for the service failing with runnable input query error

Tue, 05 May 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > MSK > Allowed Regions [Default]` policy previously failed with a "Runnable input query failed" error on all AWS accounts because it referenced a non-existent policy. The policy now correctly inherits from `AWS > Allowed Regions [Default]`policy.

aws-ec2 v5.54.1 - Fixed Launch Template Version and Load Balancer Listener Discovery controls erroring on deleted parent resources

Tue, 05 May 2026 09:00:00 GMT

_Bug fixes_ - Fixed `Launch Template Version > Discovery` and `Load Balancer Listener > Discovery` controls erroring when the parent resource is deleted in AWS. Both controls now trigger the parent's CMDB cleanup on `InvalidLaunchTemplateId.NotFound`/`LoadBalancerNotFoundException` API errors.

aws v5.43.7 - Global Event Handlers now deliver real-time CMDB updates for all event types across regions

Mon, 27 Apr 2026 09:00:00 GMT

_Bug fixes_ - Fixed an issue where `AWS > Turbot > Event Handlers [Global]` deployments were not forwarding certain event types from non-primary regions to the primary region's event bus. Only events with the `AWS API Call via CloudTrail` detail-type were being forwarded, so events such as `EBS Volume Notification`, `EC2 Instance State-change Notification`, `AWS Service Event via CloudTrail` (AppStream `CreateImage`, QuickSight, Organizations), and `AWS Console Action via CloudTrail` (Billing Console region enable/disable) emitted in non-primary regions were not reaching Guardrails. The non-primary forwarding rule now covers all detail-types defined in the configured event patterns, so Global Event Handlers deployments receive real-time CMDB updates for these events from every region. - Added `AttachedPolicies` in definitions on `account`, `organizationRoot`, and `organizationalUnit` resource data schemas. Enables downstream mods to query attached SCPs, RCPs, and other organization policies via typed GraphQL field access instead of reading raw `data`.

aws-iam v5.48.3 - Fixed IAM group membership and provisioning issues in the Managed permissions stack

Fri, 24 Apr 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > Turbot > IAM > Group > Managed` control incorrectly flagged existing members of service-specific IAM groups (for example, `stepfunctions_admin`, `secretsmanager_admin`, and `cloudwatch_operator`) for removal, because the control could not match those members against their existing Guardrails grants. Existing group members are now recognized correctly and are no longer reported as unauthorized. - The `AWS > Turbot > IAM > Managed > Provision Managed Resources` action generated invalid ARNs containing `undefined` in place of the account ID (for example, `arn:aws:iam::undefined:policy/turbot/...`) and created duplicate "ghost" entries in CMDB alongside the real IAM policies, roles, users, and groups it provisioned. This affected workspaces whose account metadata had been populated by earlier discovery runs. ARNs are now generated with the correct account ID, and duplicate CMDB entries are no longer created.

Turbot Guardrails Enterprise Database (TED) v1.53.0 - PgBouncer on Fargate and Gen 8 Graviton4 RDS support

Thu, 23 Apr 2026 09:00:00 GMT

_What's new?_ - Added Fargate launch type support for PgBouncer, with auto-derived CPU / memory and pool sizing based on max server connections. - Added support for Gen 8 Graviton4 RDS instance types (`db.m8g`, `db.r8g`). - Simplified PgBouncer CloudFormation parameters — seven resource and pool-size parameters have been consolidated under a single `PgBouncerCpu` with auto-derivation. - `PgBouncerMaxDbConnections` has been renamed to `PgBouncerMaxServerConnections`. _Bug fixes_ - Retain the PgBouncer CloudWatch log group when PgBouncer is disabled, so existing logs aren't lost on stack update.

Turbot Guardrails Enterprise (TE) v5.58.1 - AI provider fixes and OCL CIDR operators restored

Thu, 23 Apr 2026 09:00:00 GMT

_What's new?_ - Server - Individual AI features (e.g. Policy Pack Summary) now work when enabled independently of the global AI toggle — credentials are returned whenever the provider is configured. _Bug fixes_ - Server - Resolved an issue where the Azure OpenAI provider could fail on the Policy Pack Summary control due to configuration errors. - Addressed a problem where certain CIDR comparison checks were not working correctly after a recent update. _Requirements_ - Upgrade to `5.58.0` requires your workspace to be on `5.55.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.70.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.57.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure v5.39.3 - Fixed subscription policy CMDB controls failing due to missing tenant metadata

Wed, 22 Apr 2026 09:00:00 GMT

_Bug fixes_ - Fixed `Azure > Subscription Policy > CMDB` failing due to missing tenant IDs in resource AKAs. Any broken records currently in CMDB are automatically cleaned up by the `Azure > Subscription Policy > CMDB` control and recreated with the correct AKA by `Azure > Subscription Policy > Discovery`.

azure v5.39.2 - Fixed several Policy Discovery controls failing to create resources when Azure tenants have resources with non-unique names

Fri, 17 Apr 2026 09:00:00 GMT

_Bug fixes_ - Fixed `Azure > Policy Definition > Discovery`, `Azure > Policy Assignment > Discovery`, `Azure > Policy Set Definition > Discovery`, and `Azure > Subscription Policy > Discovery` controls failing to create new resources when two Azure tenants in the same Guardrails workspace have resources with non-unique names. The AKAs for these resource types now start with `azure:///tenants/{tenantId}/`. Any resources currently in CMDB will have their current AKAs replaced with the new format.

aws-ec2 v5.54.0 - Configure deregistration protection for AMIs

Fri, 17 Apr 2026 09:00:00 GMT

_What's new?_ - Configure deregistration protection for AMIs. To get started, set the `AWS > EC2 > AMI > Deregistration Protection` policy. - AMI CMDB details will now also include details about the EC2 instances that refer the AMI. _Control Types_ - AWS > EC2 > AMI > Deregistration Protection _Policy Types_ - AWS > EC2 > AMI > Deregistration Protection _Action Types_ - AWS > EC2 > AMI > Update Deregistration Protection

azure-network v5.30.3 - Fixed Network Security Group Ingress/Egress Rules Approved controls incorrectly handling bare IP addresses

Thu, 16 Apr 2026 09:00:00 GMT

_Bug fixes_ - Fixed Network Security Group Ingress/Egress Rules Approved controls incorrectly handling bare IP addresses (e.g., `8.8.8.8`) in `sourceAddressPrefix`. Bare IPs are now normalized to CIDR notation (`8.8.8.8/32`) so that `bitmaskLength` and OCL CIDR comparison operators work correctly.

aws-efs v5.12.2 - File system CMDB data will now be refreshed correctly on mount target deletions

Tue, 14 Apr 2026 09:00:00 GMT

_Bug fixes_ - The file system CMDB data was not being refreshed when its mount targets were deleted, which could cause the `Allowed Encryption at Rest` control to use stale data. This has now been fixed, and the file system CMDB is correctly updated on any of its mount target deletions.

aws-ec2 v5.53.1 - Fixed EC2 Instance Metadata Service control not sending action notifications

Fri, 10 Apr 2026 09:00:00 GMT

_Bug fixes_ - Fixed `AWS > EC2 > Instance > Metadata Service` control not sending action notifications.

azure-network v5.30.2 - Ingress Rules and Egress Rules Approved controls will no longer delete rules of the opposite direction

Thu, 09 Apr 2026 09:00:00 GMT

_Bug fixes_ - The `Azure > Network > Network Security Group > Ingress Rules > Approved` and `Azure > Network > Network Security Group > Egress Rules > Approved` controls, when set to `Enforce: Delete unapproved`, would inadvertently delete all security rules of the opposite direction (e.g., enforcing ingress rules would delete all egress rules). This has now been fixed and the controls will only revoke unapproved rules of their respective direction without affecting rules of the opposite direction.

Turbot Guardrails Enterprise Foundation (TEF) v1.70.0 - Node.js 24 Lambda runtime support

Mon, 06 Apr 2026 09:00:00 GMT

_What's new?_ - Added support for Node.js 24 in the Lambda runtime environment.

Turbot Guardrails Enterprise (TE) v5.58.0 - New UI, SIEM integrations, policy simulators, and AI chat

Mon, 06 Apr 2026 09:00:00 GMT

_What's new?_ This release delivers a comprehensive new user interface alongside SIEM integrations, cloud policy simulators, and an AI chat assistant. The server runtime has been upgraded to Node.js 24 LTS with a full migration from AWS SDK v2 to v3. Key capabilities include: - **New UI** built on React 19 with redesigned Dashboard, Prevention Explorer, connection wizards for all supported cloud providers, and a developer palette for contextual debugging. - **SIEM integrations** for CloudTrail Lake and Splunk, enabling security event querying and denial event analysis directly from Guardrails. - **Policy simulators** for AWS SCP, Azure Policy, and GCP Org Policy to test and validate policy impact before enforcement. - **AI Chat** assistant (Turbie) with contextual help on controls, policies, and alarms. - **OCI support** expanded with cloud hierarchy viewer, compartment management, and improved discovery. - **Platform upgrades** including Node.js 24 LTS, AWS SDK v3 migration, and updated dependencies. _Requirements_ - Upgrade to `5.58.0` requires your workspace to be on `5.55.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.70.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.57.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

oci v5.0.3 - Fixed missing icons for OCI and tenancy resource types

Thu, 02 Apr 2026 09:00:00 GMT

_Bug fixes_ - Fixed missing icons for OCI and tenancy resource types.

azure-network v5.30.1 - Ingress Rules and Egress Rules Approved controls will no longer fail on large NSGs

Thu, 02 Apr 2026 09:00:00 GMT

_Bug fixes_ - Fixed an issue where the `Azure > Network > Network Security Group > Ingress Rules > Approved` and `Egress Rules > Approved` controls would fail with an internal error on large NSGs with 60+ security rules, wide port ranges (e.g., 49152-65535), and many CIDR addresses. - Intelligent Assessment controls will now also work with AWS Bedrock and Azure OpenAI credentials.

gcp v5.35.2 - Organization CMDB control now respects Discovery Level policy settings

Wed, 01 Apr 2026 09:00:00 GMT

_Bug fixes_ - The `GCP > Organization > CMDB` control now respects the settings defined in the `GCP > Organization > Discovery Level` policy. This feature requires Turbot Guardrails Enterprise (TE) version 5.56.0 or later. - Intelligent Assessment controls will now also work with AWS Bedrock and Azure OpenAI credentials.

azure-virtualdesktop v5.2.0 - Configure public network access for workspaces and host pools

Mon, 30 Mar 2026 09:00:00 GMT

_What's new?_ - You can now configure public network access for the workspaces. To get started, set the `Azure > Virtual Desktop > Workspace > Public Network Access` policy. - You can now configure public network access for the host pools. To get started, set the `Azure > Virtual Desktop > Host Pool > Public Network Access` policy. _Control Types_ - Azure > Virtual Desktop > Host Pool > Public Network Access - Azure > Virtual Desktop > Workspace > Public Network Access _Policy Types_ - Azure > Virtual Desktop > Host Pool > Public Network Access - Azure > Virtual Desktop > Workspace > Public Network Access _Action Types_ - Azure > Virtual Desktop > Host Pool > Set Public Network Access - Azure > Virtual Desktop > Workspace > Set Public Network Access

azure v5.39.1 - Fixed Intelligent Assessment controls to use updated policy URIs

Mon, 30 Mar 2026 09:00:00 GMT

_Bug fixes_ - Fixed Intelligent Assessment controls to use updated policy URIs.

azure-redis v5.3.0 - Configure firewall rules for redis cache

Mon, 30 Mar 2026 09:00:00 GMT

_What's new?_ - You can now configure firewall rules for redis cache. To get started, set the `Azure > Redis > Redis Cache > Firewall > *` policies. _Control Types_ - Azure > Redis > Redis Cache > Firewall - Azure > Redis > Redis Cache > Firewall > IP Ranges - Azure > Redis > Redis Cache > Firewall > IP Ranges > Approved - Azure > Redis > Redis Cache > Firewall > IP Ranges > Required _Policy Types_ - Azure > Redis > Redis Cache > Firewall - Azure > Redis > Redis Cache > Firewall > IP Ranges - Azure > Redis > Redis Cache > Firewall > IP Ranges > Approved - Azure > Redis > Redis Cache > Firewall > IP Ranges > Approved > Compiled Rules - Azure > Redis > Redis Cache > Firewall > IP Ranges > Approved > IP Addresses - Azure > Redis > Redis Cache > Firewall > IP Ranges > Approved > Rules - Azure > Redis > Redis Cache > Firewall > IP Ranges > Required - Azure > Redis > Redis Cache > Firewall > IP Ranges > Required > Items _Action Types_ - Azure > Redis > Redis Cache > Update Firewall - Azure > Redis > Redis Cache > Update Firewall IP Ranges

azure-prevention v5.1.0 - Added prevention examples and removed deprecated objectives

Mon, 30 Mar 2026 09:00:00 GMT

_What's new?_ - Added 7 new prevention examples covering Azure Defender, soft delete, NSG requirements, customer-managed keys, and location restrictions. Removed 16 deprecated prevention objectives and examples related to activity log alerts, Defender notifications, key rotation, resource logging, and soft delete. _Prevention Objectives_ _Removed_ - Enforce activity log alert for Azure NSG changes - Enforce activity log alert for Azure NSG deletion - Enforce activity log alert for Azure Policy assignment creation - Enforce activity log alert for Azure Policy assignment deletion - Enforce activity log alert for Azure SQL firewall rule changes - Enforce activity log alert for Azure SQL firewall rule deletion - Enforce activity log alert for Azure Service Health - Enforce activity log alert for Azure public IP changes - Enforce activity log alert for Azure public IP deletion - Enforce activity log alert for Azure security solution changes - Enforce activity log alert for Azure security solution deletion - Enforce alert severity notifications for Azure Defender - Enforce automatic key rotation for Azure Key Vault - Enforce resource logging for Azure services - Enforce security alert notifications for Azure subscription owners - Require security contact email for Azure Defender _Prevention Examples_ - Enforce Defender for Azure APIs - Enforce soft delete for Azure Storage blobs - Enforce soft delete for Azure Storage containers - Require NSG for Azure Network subnets - Require customer-managed keys for Azure Databricks DBFS root - Require customer-managed keys for Azure Databricks managed services - Restrict Azure resources to allowed locations _Removed_ - Enforce activity log alert for Azure NSG changes - Enforce activity log alert for Azure NSG deletion - Enforce activity log alert for Azure SQL firewall rule changes - Enforce activity log alert for Azure SQL firewall rule deletion - Enforce activity log alert for Azure Service Health - Enforce activity log alert for Azure policy assignment creation - Enforce activity log alert for Azure policy assignment deletion - Enforce activity log alert for Azure public IP changes - Enforce activity log alert for Azure public IP deletion - Enforce activity log alert for Azure security solution changes - Enforce activity log alert for Azure security solution deletion - Enforce alert severity notifications for Azure Defender - Enforce automatic key rotation for Azure Key Vault - Enforce resource logging for Azure services - Enforce security alert notifications for Azure subscription owners - Enforce soft delete for Azure Storage blobs - Enforce soft delete for Azure Storage containers - Require customer-managed keys for Azure Databricks DBFS root - Require customer-managed keys for Azure Databricks managed services - Require security contact email for Azure Defender

github-prevention v5.2.0 - Added supply chain security objectives for release assets and Actions SHA pinning

Fri, 27 Mar 2026 09:00:00 GMT

_What's new?_ - Added 2 new prevention objectives for supply chain security: prohibit modification of published release assets, and require GitHub Actions to use pinned commit references (SHA pinning). _Prevention Objectives_ - Prohibit GitHub published release asset modification - Require pinned commit references for GitHub Actions _Prevention Examples_ - Lock published release assets for GitHub organizations - Require SHA pinning for GitHub Actions in organizations

gcp-prevention v5.1.0 - Added control mappings and Terraform examples for DNS, API key, encryption, logging, and compute objectives

Fri, 27 Mar 2026 09:00:00 GMT

_What's new?_ - Added Turbot Guardrails control mappings and Terraform examples for 8 prevention objectives covering DNS security, API key restrictions, encryption, logging, and compute security. _Prevention Examples_ - Enforce CMEK for GCP Dataproc clusters - Enforce DNSSEC configuration to prohibit RSASHA1 key signing for GCP Cloud DNS managed zones - Enforce DNSSEC configuration to prohibit RSASHA1 zone signing for GCP Cloud DNS managed zones - Enforce KMS key rotation period for GCP crypto keys - Require API restrictions for GCP API keys - Require Confidential Computing for GCP Compute Engine instances - Require host restrictions for GCP API keys - Require logging for GCP Cloud DNS managed zones

azure-sql v5.23.0 - Configure public network access for managed instances

Fri, 27 Mar 2026 09:00:00 GMT

_Bug fixes_ - Fixed Intelligent Assessment controls to use updated policy URIs. _What's new?_ - You can now configure public network access for managed instances. To get started, set the `Azure > SQL > Managed Instance > Public Network Access` policy. _Control Types_ - Azure > SQL > Managed Instance > Public Endpoint _Policy Types_ - Azure > SQL > Managed Instance > Public Endpoint _Action Types_ - Azure > SQL > Managed Instance > Set Public Endpoint

azure-apimanagement v5.10.0 - Track and manage API resources in Guardrails

Fri, 27 Mar 2026 09:00:00 GMT

_What's new?_ - You can now configure protocols for APIs. To get started with these new controls, please see the `Azure > API Management > API > Protocols > *` policies. - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage API management resources in Guardrails. This release includes breaking changes in the CMDB data for services. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below. Added: - `legacyPortalStatus` - `developerPortalStatus` Removed: - `portalUrl` Modified: - The value of the attribute `platformVersion` has been changed from `stv2` to `stv2.1` _Resource Types_ - Azure > API Management > API _Control Types_ - Azure > API Management > API > Active - Azure > API Management > API > Allowed - Azure > API Management > API > Allowed > Custom - Azure > API Management > API > CMDB - Azure > API Management > API > Discovery - Azure > API Management > API > Protocols _Policy Types_ - Azure > API Management > API > Active - Azure > API Management > API > Active > Age - Azure > API Management > API > Active > Last Modified - Azure > API Management > API > Allowed - Azure > API Management > API > Allowed > Custom - Azure > API Management > API > Allowed > Custom > Rules - Azure > API Management > API > CMDB - Azure > API Management > API > Protocols - Azure > API Management > API > Protocols > URL Scheme - Azure > API Management > API > Regions _Action Types_ - Azure > API Management > API > Delete - Azure > API Management > API > Router - Azure > API Management > API > Update API Protocols

aws v5.43.6 - Custom AKAs for Organization resources are now preserved in CMDB

Thu, 26 Mar 2026 09:00:00 GMT

_Bug fixes_ - Custom AKAs added to Organization, Organization Root, and Organizational Unit resources were not preserved in Turbot CMDB because their respective CMDB controls would overwrite them. This is now fixed and all such custom AKAs will now be stored correctly in Turbot CMDB. - Fixed Intelligent Assessment controls to use updated policy URIs.

aws-prevention v5.1.2 - Fixed Control Tower enabled control discovery objective matching

Thu, 26 Mar 2026 09:00:00 GMT

_Bug fixes_ - Control Tower enabled control discovery has been fixed to correctly match objectives via controlGlobalId static mappings — a property name mismatch (`argument` vs `arguments`) caused all matches to silently fail. The `requirePermissionBoundariesForPrivilegedAwsIamRoles` objective now declares `iam:PermissionsBoundary` as a required condition, improving SCP scoring accuracy for negated condition operators. Event data synced for 15 objectives. Unenforced RDS cluster actions and dead `s3:CreateMultipartUpload` action removed from example SCPs.

aws-ec2 v5.53.0 - Added support for 21 new ELB security policies including FIPS and Post-Quantum

Thu, 26 Mar 2026 09:00:00 GMT

_What's new?_ - Updated the `AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed` and `AWS > EC2 > Load Balancer Listener > SSL Policy > Default` policies to include 21 new AWS ELB security policies, covering FIPS, Post-Quantum (PQ), and combined FIPS+PQ categories.

aws-ecr v5.17.0 - Added support for enforcing lifecycle policy rules on ECR repositories

Wed, 25 Mar 2026 09:00:00 GMT

_What's new?_ - Added new `AWS > ECR > Repository > Lifecycle Policy > Required` control that allows customers to enforce lifecycle policy rules on private ECR repositories. _Control Types_ - AWS > ECR > Repository > Lifecycle Policy - AWS > ECR > Repository > Lifecycle Policy > Required _Policy Types_ - AWS > ECR > Repository > Lifecycle Policy - AWS > ECR > Repository > Lifecycle Policy > Required - AWS > ECR > Repository > Lifecycle Policy > Required > Items _Action Types_ - AWS > ECR > Repository > Update Lifecycle Policy

aws-lambda v5.20.0 - CMDB control for function will no longer fail in GovCloud and China partitions

Tue, 24 Mar 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Lambda > Function > Allowed - AWS > Lambda > Function > Allowed > Custom - AWS > Lambda > Function > Allowed > Region - AWS > Lambda > Function Alias > Allowed - AWS > Lambda > Function Alias > Allowed > Custom - AWS > Lambda > Function Alias > Allowed > Region - AWS > Lambda > Function Version > Allowed - AWS > Lambda > Function Version > Allowed > Custom - AWS > Lambda > Function Version > Allowed > Region - AWS > Lambda > Layer > Allowed - AWS > Lambda > Layer > Allowed > Custom - AWS > Lambda > Layer > Allowed > Region _Policy Types_ - AWS > Lambda > Allowed Regions [Default] - AWS > Lambda > Function > Allowed - AWS > Lambda > Function > Allowed > Custom - AWS > Lambda > Function > Allowed > Custom > Rules - AWS > Lambda > Function > Allowed > Region - AWS > Lambda > Function > Allowed > Region > Regions - AWS > Lambda > Function Alias > Allowed - AWS > Lambda > Function Alias > Allowed > Custom - AWS > Lambda > Function Alias > Allowed > Custom > Rules - AWS > Lambda > Function Alias > Allowed > Region - AWS > Lambda > Function Alias > Allowed > Region > Regions - AWS > Lambda > Function Version > Allowed - AWS > Lambda > Function Version > Allowed > Custom - AWS > Lambda > Function Version > Allowed > Custom > Rules - AWS > Lambda > Function Version > Allowed > Region - AWS > Lambda > Function Version > Allowed > Region > Regions - AWS > Lambda > Layer > Allowed - AWS > Lambda > Layer > Allowed > Custom - AWS > Lambda > Layer > Allowed > Custom > Rules - AWS > Lambda > Layer > Allowed > Region - AWS > Lambda > Layer > Allowed > Region > Regions _Bug fixes_ - Fixed `AWS > Lambda > Function > CMDB` control failing in GovCloud and China partitions. The control now gracefully skips the Function URL configuration lookup in partitions where Lambda Function URLs are not supported. - Intelligent Assessment controls will now also work with AWS Bedrock and Azure OpenAI credentials.

aws-ec2 v5.52.0 - Added support for `Active > Running` policy for EC2 instances

Mon, 23 Mar 2026 09:00:00 GMT

_What's new?_ - Added a new `AWS > EC2 > Instance > Active > Running` policy that checks whether an EC2 instance is in a running state. Available policy values are `Force inactive if not running`, `Force inactive if not running 24 hours`, and `Force inactive if not running for 48 hours`. Additionally, a new `Delete inactive with 2 days warning` enforcement option has been added to the `AWS > EC2 > Instance > Active` policy. _Policy Types_ - AWS > EC2 > Instance > Active > Running

guardrails-prevention v5.1.0 - Refined LLM extraction prompts for improved output quality

Fri, 20 Mar 2026 09:00:00 GMT

_What's new?_ - Refined the LLM extraction prompts to improve output quality. Titles are now shorter and cleaner, capped at 40 characters without resource names or account IDs. A new overview field captures coverage, limitations, exceptions, and threat context in a structured way. The prompt has also been restructured to separate resource context from title generation, improving extraction accuracy.

github v5.7.0 - Organization CMDB now includes workflow permissions and fork PR policies

Fri, 20 Mar 2026 09:00:00 GMT

_What's new?_ - Organization CMDB data will now also include details for default workflow permissions, fork PR contributor approval policy, fork PR workflows for private repositories, and self-hosted runner access policy.

github-prevention v5.1.0 - Added objective to prohibit public repository creation by members

Fri, 20 Mar 2026 09:00:00 GMT

_What's new?_ - Added new objective to prohibit public repository creation by members, and fixed objectives that were missing mappings in their definition to match to their respective preventions correctly. _Prevention Objectives_ - Prohibit GitHub organization public repository creation by members _Prevention Examples_ - Block public repository creation for GitHub organization members - Prohibit public repository creation for GitHub organizations

gcp-prevention v5.0.1 - Fixed incorrect objective matching in prevention discovery controls

Fri, 20 Mar 2026 09:00:00 GMT

_Bug fixes_ - Prevention discovery controls would sometimes match preventions to objectives incorrectly because of incorrect query limit in GraphQL queries. This is now fixed.

aws-prevention v5.1.0 - Improved SCP and RCP objective matching accuracy

Fri, 20 Mar 2026 09:00:00 GMT

_What's new?_ - SCP and RCP objective matching has been redesigned for improved accuracy and consistency. Six multi-statement objectives have been split into single-statement sub-objectives for precise matching. RCP deny examples have been added for 18 objectives and unenforceable SCP examples have been removed. Prevention rules now include an `overview` field. _Prevention Fact Types_ - AWS Condition Scope - AWS Deny Scope _Prevention Objectives_ - Enforce IMDSv2 for AWS EC2 instance launch - Enforce IMDSv2 for running AWS EC2 instances - Prohibit AWS Elastic IP association - Prohibit AWS VPC peering connections - Prohibit AWS cross-region networking services - Prohibit public IP assignment at AWS EC2 instance launch - Safeguard AWS EC2 AMI block public access setting from modification - Safeguard AWS Lambda code signing configuration from modification _Removed_ - Enforce IMDSv2 for AWS EC2 instances - Prohibit AWS EC2 cross-region networking - Prohibit AWS EC2 instance internet access _Prevention Examples_ - Allow approved AWS services - Allow resources in approved AWS regions - Block all public sharing of AWS EBS snapshots - Block inbound and outbound internet connections to your VPCs through an internet gateway (IGW) or egress-only internet gateway (EIGW) - Block public sharing of AWS Machine Images (AMIs) - Deny API actions over insecure transport for AWS S3 - Deny AWS Virtual Private Network (VPN) connections - Deny EC2 instance launch without IAM instance role - Deny IAM user management actions without MFA - Deny access key creation for AWS IAM users - Deny access key operations for AWS IAM root user - Deny actions as a root user - Deny all AWS IAM root user actions - Deny creation of AWS IAM users - Deny creation of access keys for the root user - Deny cross region replication for S3 buckets - Deny deletion of AWS IAM support access role - Deny deletion of AWS VPC flow logs - Deny direct permissions attachment to AWS IAM users - Deny disablement and deletion of AWS KMS keys - Deny disablement of AWS Security Hub configuration - Deny disablement of amazon inspector configuration - Deny full access policy attachment for AWS CloudShell - Deny insecure transport at resource level for AWS S3 - Deny modification of AWS CloudTrail configuration - Deny modification of AWS CloudWatch alarms - Deny modification of AWS Config configuration - Deny modification of AWS DynamoDB table point in time recovery configuration - Deny modification of AWS EBS encryption by default configuration - Deny modification of AWS EBS snapshot block public access configuration - Deny modification of AWS EC2 IMDS default settings - Deny modification of AWS EC2 image block public access configuration - Deny modification of AWS EC2 serial console access configuration - Deny modification of AWS IAM Access Analyzer configuration - Deny modification of AWS IAM role configuration - Deny modification of AWS IAM role trust policy configuration - Deny modification of AWS S3 account public access block configuration - Deny modification of AWS S3 bucket encryption configuration - Deny modification of AWS S3 bucket lifecycle policy configuration - Deny modification of AWS S3 bucket logging configuration - Deny modification of AWS S3 bucket logging configuration - Deny modification of AWS VPC network ACL rules - Deny modification of AWS VPC route tables - Deny modification of AWS VPC security group rules - Deny modification of AWS VPC security group rules - Deny modification of AWS account alternate security contact - Deny modification of AWS account contact information - Deny policy changes to an AWS S3 bucket - Deny public function URLs for AWS Lambda - Deny public resource policies for AWS Lambda functions - Deny publicly accessible creation for AWS RDS DB instances - Deny removal of AWS IAM permission boundaries - Deny removal of AWS IAM root user MFA devices - Deny removal of AWS IAM user MFA devices - Deny replication configuration for AWS S3 buckets - Deny resource creation without security classification tags - Deny resources in unapproved AWS regions - Deny resources in unapproved regions - Deny resources in unapproved regions in landing zone - Deny sharing of public AWS EBS snapshots - Deny single-AZ creation for AWS RDS DB instances - Deny the use of AWS EC2 VM import and export - Deny the use of deprecated AWS EC2 RequestSpotFleet and RequestSpotInstances API actions - Deny unapproved AWS EC2 instance types - Deny unapproved AWS services - Deny unencrypted creation for AWS EBS volumes - Deny unencrypted creation for AWS EFS file systems - Deny unencrypted creation for AWS RDS DB instances - Deny unencrypted listeners for AWS Elastic Load Balancing - Deny versioning changes for AWS S3 buckets - Deny virtual MFA operations for AWS IAM root user - Deny weakening of AWS IAM account password policy - Deny weakening of AWS IAM account password policy - Deny weakening of AWS IAM account password policy - Deny wildcard administrative policy attachment for AWS IAM - Disable AWS EC2 Serial Console access - Disable access to the EC2 serial console for all EC2 instances - Enable AWS EBS Snapshot Block Public Access for account - Enable AWS EBS encryption by default for account - Enable AWS EC2 Image Block Public Access - Enable account-level Block Public Access for AWS S3 - Enable account-level Block Public Access for AWS S3 - Enable account-level Block Public Access for AWS S3 - Enable account-level Block Public Access for AWS S3 - Enforce AWS GuardDuty enablement - Enforce Access Logging for AWS S3 Buckets - Enforce Block Public Access for AWS S3 accounts - Enforce Block Public Access for AWS S3 accounts - Enforce Block Public Access for AWS S3 accounts - Enforce Block Public Access for AWS S3 accounts - Enforce Block Public Access for AWS S3 buckets - Enforce Block Public Access for AWS S3 buckets - Enforce Block Public Access for AWS S3 buckets - Enforce Block Public Access for AWS S3 buckets - Enforce HTTPS-only access for AWS S3 buckets - Enforce IAM instance roles for AWS EC2 instances - Enforce IMDSv2 defaults for AWS EC2 account attributes - Enforce IMDSv2 for AWS EC2 instances - Enforce IMDSv2 for running AWS EC2 instances - Enforce MFA Delete for AWS S3 buckets - Enforce Multi-AZ deployments for AWS RDS DB instances - Enforce approved AMI sources for AWS EC2 instances - Enforce approved accounts for AWS Lambda functions - Enforce approved images for AWS EC2 AMIs - Enforce approved instance types for AWS EC2 instances - Enforce auto minor version upgrade for AWS RDS DB instances - Enforce block public ACLs for AWS S3 buckets - Enforce block public policy for AWS S3 buckets - Enforce deactivation of unused AWS IAM access keys - Enforce default security groups with no rules to restrict all traffic for AWS VPC security groups - Enforce encryption at rest for AWS CloudTrail logs - Enforce encryption at rest for AWS RDS DB instances - Enforce encryption by default for AWS EC2 accounts - Enforce encryption for AWS EFS file systems - Enforce group-based permissions for AWS IAM users - Enforce ignore public ACLs for AWS S3 buckets - Enforce lifecycle policies for AWS S3 buckets - Enforce lifecycle policies for versioned AWS S3 buckets - Enforce minimum password length for AWS IAM password policy - Enforce non-public accessibility for AWS RDS DB instances - Enforce password reuse prevention for AWS IAM password policy - Enforce removal of AWS IAM AWSCloudShellFullAccess policy - Enforce removal of AWS IAM users - Enforce removal of AdministratorAccess policy for AWS IAM - Enforce removal of expired AWS IAM server certificates - Enforce removal of login profiles for AWS IAM users - Enforce restrict public buckets for AWS S3 buckets - Enforce rotation of AWS IAM access keys every 90 days - Enforce secure Network ACL configurations denying public access to admin ports for AWS VPC Network ACLs - Enforce secure security group configurations denying public access to admin ports for AWS VPC security groups - Enforce single active access key per AWS IAM user - Enforce versioning for AWS S3 buckets - Enforce versioning for AWS S3 buckets - Prevent IAM policies with wildcard actions via Guard - Prevent IAM policies with wildcard actions via Lambda - Prevent IAM policies with wildcard actions via proactive control - Prevent S3 buckets without versioning via Guard - Prevent S3 buckets without versioning via Lambda - Prevent S3 buckets without versioning via proactive control - Prevent creation of AWS EC2 instances with IMDSv1 via Guard - Prevent creation of AWS EC2 instances with IMDSv1 via Lambda - Prevent public S3 bucket creation via Guard - Prevent public S3 bucket creation via Guard - Prevent public S3 bucket creation via Guard - Prevent public S3 bucket creation via Guard - Prohibit AWS EBS direct API calls - Prohibit AWS EBS snapshot public restore - Prohibit AWS EBS snapshot public sharing - Prohibit AWS EC2 VM import and export - Prohibit AWS EC2 deprecated Spot instance APIs - Prohibit AWS Elastic IP association - Prohibit AWS VPC VPN connections - Prohibit AWS VPC internet connections - Prohibit AWS VPC peering connections - Prohibit AWS cross-region networking services - Prohibit IAM Customer Managed Policies with Wildcard Service Actions - Prohibit IAM Inline Policies with Administrative Wildcard Permissions - Prohibit IAM Managed Policies with Administrative Wildcard Permissions - Prohibit Public AWS ECR Repositories - Prohibit public IP assignment at AWS EC2 instance launch - Prohibit public internet access to AWS VPC resources - Require AWS CloudHSM key origin for AWS KMS keys - Require AWS CloudHSM key origin for AWS KMS keys - Require AWS IAM privileged role permission boundaries - Require AWS KMS grants only for AWS services - Require AWS KMS grants only for AWS services - Require Block Public Access for S3 Buckets - Require Block Public Access for S3 Buckets - Require Block Public Access for S3 Buckets - Require Block Public Access for S3 Buckets - Require Encryption for EBS Volumes - Require Encryption for Launch Template EBS Volumes - Require IMDSv2 for AWS EC2 instance launch - Require KMS encryption for AWS S3 buckets - Require MFA for AWS IAM root user actions - Require MFA for AWS S3 bucket versioning configuration changes - Require MFA for AWS SSM Session Manager - Require MFA for delete actions on S3 buckets - Require RSA key length greater than 2048 bits for AWS KMS asymmetric keys - Require RSA key length greater than 2048 bits for AWS KMS asymmetric keys - Require Server Side Encryption for S3 Buckets - Require VPC endpoints for AWS DynamoDB access - Require all object uploads to AWS S3 buckets to use server-side encryption with an AWS KMS key (SSE-KMS) - Require an AWS EBS snapshot to be created from an encrypted EC2 volume - Require approved AWS Marketplace subscriptions - Require approved sources for AWS ECR container registry - Require approved sources for AWS Lambda layers - Require attribute-based access control for AWS IAM sensitive data access - Require bypass policy lockout safety check for AWS KMS keys - Require bypass policy lockout safety check for AWS KMS keys - Require code signing for AWS Lambda functions - Require encryption at rest for AWS EBS snapshots - Require external key store key origin for AWS KMS keys - Require external key store key origin for AWS KMS keys - Require imported key material for AWS KMS keys - Require imported key material for AWS KMS keys - Require organization-only access for AWS KMS resources - Require organization-only access for AWS KMS resources - Require that AWS EBS direct APIs are not called - Require that an AWS EBS snapshot cannot be publicly restorable - Require that an attached AWS EBS volume is configured to encrypt data at rest - Safeguard AWS EC2 AMI block public access setting from modification - Safeguard AWS Lambda code signing configuration from modification - Safeguard AWS S3 bucket encryption configuration from modification - Safeguard AWS S3 bucket policies from modification - Set IMDSv2 defaults for AWS EC2 instances - Set comprehensive password policy for AWS IAM - Set minimum password length for AWS IAM password policy - Set password reuse prevention for AWS IAM password policy _Removed_ - Allow approved AWS services - Allow resources in approved AWS regions - Block all public sharing of AWS EBS snapshots - Block inbound and outbound internet connections to your VPCs through an internet gateway (IGW) or egress-only internet gateway (EIGW) - Block public sharing of AWS Machine Images (AMIs) - Deny API actions over insecure transport for AWS S3 - Deny AWS Virtual Private Network (VPN) connections - Deny EC2 instance launch without IAM instance role - Deny access key creation for AWS IAM users - Deny access key operations for AWS IAM root user - Deny actions as a root user - Deny all AWS IAM root user actions - Deny creation of AWS IAM users - Deny creation of access keys for the root user - Deny credential updates for AWS IAM users - Deny cross region replication for S3 buckets - Deny cross-region networking for AWS EC2, AWS CloudFront, and AWS Global Accelerator - Deny deletion of AWS IAM support access role - Deny deletion of AWS VPC flow logs - Deny direct permissions attachment to AWS IAM users - Deny disablement and deletion of AWS KMS keys - Deny disablement of AWS GuardDuty configuration - Deny disablement of AWS Security Hub configuration - Deny disablement of amazon inspector configuration - Deny full access policy attachment for AWS CloudShell - Deny insecure transport at resource level for AWS S3 - Deny internet access for an AWS VPC instance managed by a customer - Deny modification of AWS CloudTrail configuration - Deny modification of AWS CloudWatch alarms - Deny modification of AWS Config configuration - Deny modification of AWS DynamoDB table point in time recovery configuration - Deny modification of AWS EBS encryption by default configuration - Deny modification of AWS EBS snapshot block public access configuration - Deny modification of AWS EC2 IMDS default settings - Deny modification of AWS EC2 image block public access configuration - Deny modification of AWS EC2 instance IMDSv2 configuration - Deny modification of AWS EC2 serial console access configuration - Deny modification of AWS IAM Access Analyzer configuration - Deny modification of AWS IAM role configuration - Deny modification of AWS IAM role trust policy configuration - Deny modification of AWS S3 account public access block configuration - Deny modification of AWS S3 account public access block configuration - Deny modification of AWS S3 bucket encryption configuration - Deny modification of AWS S3 bucket lifecycle policy configuration - Deny modification of AWS S3 bucket logging configuration - Deny modification of AWS S3 bucket logging configuration - Deny modification of AWS S3 bucket object lock configuration - Deny modification of AWS VPC network ACL rules - Deny modification of AWS VPC route tables - Deny modification of AWS VPC security group rules - Deny modification of AWS account alternate security contact - Deny modification of AWS account contact information - Deny password operations for AWS IAM users - Deny policy changes to an AWS S3 bucket - Deny public function URLs for AWS Lambda - Deny public repository creation for AWS ECR - Deny public resource policies for AWS Lambda functions - Deny publicly accessible creation for AWS RDS DB instances - Deny removal of AWS IAM permission boundaries - Deny removal of AWS IAM root user MFA devices - Deny removal of AWS IAM user MFA devices - Deny replication configuration for AWS S3 buckets - Deny resource creation without security classification tags - Deny resources in unapproved AWS regions - Deny resources in unapproved regions - Deny resources in unapproved regions in landing zone - Deny sharing of public AWS EBS snapshots - Deny single-AZ creation for AWS RDS DB instances - Deny the use of AWS EC2 VM import and export - Deny the use of deprecated AWS EC2 RequestSpotFleet and RequestSpotInstances API actions - Deny unapproved AWS EC2 instance types - Deny unapproved AWS services - Deny unencrypted creation for AWS EBS volumes - Deny unencrypted creation for AWS EFS file systems - Deny unencrypted creation for AWS RDS DB instances - Deny unencrypted listeners for AWS Elastic Load Balancing - Deny versioning changes for AWS S3 buckets - Deny virtual MFA operations for AWS IAM root user - Deny weakening of AWS IAM account password policy - Deny wildcard administrative policy attachment for AWS IAM - Disable AWS EC2 Serial Console access - Disable access to the EC2 serial console for all EC2 instances - Enable AWS EBS Snapshot Block Public Access for account - Enable AWS EBS encryption by default for account - Enable AWS EC2 Image Block Public Access - Enable account-level Block Public Access for AWS S3 - Enforce Access Logging for AWS S3 Buckets - Enforce Block Public Access for AWS S3 accounts - Enforce Block Public Access for AWS S3 buckets - Enforce HTTPS-only access for AWS S3 buckets - Enforce IAM instance roles for AWS EC2 instances - Enforce IMDSv2 defaults for AWS EC2 account attributes - Enforce IMDSv2 for AWS EC2 instances - Enforce Multi-AZ deployments for AWS RDS DB instances - Enforce approved AMI sources for AWS EC2 instances - Enforce approved accounts for AWS Lambda functions - Enforce approved images for AWS EC2 AMIs - Enforce approved instance types for AWS EC2 instances - Enforce auto minor version upgrade for AWS RDS DB instances - Enforce deactivation of unused AWS IAM access keys - Enforce default security groups with no rules to restrict all traffic for AWS VPC security groups - Enforce encryption at rest for AWS CloudTrail logs - Enforce encryption at rest for AWS RDS DB instances - Enforce encryption by default for AWS EC2 accounts - Enforce encryption for AWS EFS file systems - Enforce group-based permissions for AWS IAM users - Enforce lifecycle policies for AWS S3 buckets - Enforce lifecycle policies for versioned AWS S3 buckets - Enforce minimum password length for AWS IAM password policy - Enforce non-public accessibility for AWS RDS DB instances - Enforce password reuse prevention for AWS IAM password policy - Enforce removal of AWS IAM AWSCloudShellFullAccess policy - Enforce removal of AWS IAM users - Enforce removal of AdministratorAccess policy for AWS IAM - Enforce removal of expired AWS IAM server certificates - Enforce removal of login profiles for AWS IAM users - Enforce rotation of AWS IAM access keys every 90 days - Enforce secure Network ACL configurations denying public access to admin ports for AWS VPC Network ACLs - Enforce secure security group configurations denying public access to admin ports for AWS VPC security groups - Enforce single active access key per AWS IAM user - Enforce versioning for AWS S3 buckets - Prevent IAM policies with wildcard actions via Guard - Prevent IAM policies with wildcard actions via Lambda - Prevent IAM policies with wildcard actions via proactive control - Prevent S3 buckets without versioning via Guard - Prevent S3 buckets without versioning via Lambda - Prevent S3 buckets without versioning via proactive control - Prevent creation of AWS EC2 instances with IMDSv1 via Guard - Prevent creation of AWS EC2 instances with IMDSv1 via Lambda - Prevent public S3 bucket creation via Guard - Prohibit IAM Customer Managed Policies with Wildcard Service Actions - Prohibit IAM Inline Policies with Administrative Wildcard Permissions - Prohibit IAM Managed Policies with Administrative Wildcard Permissions - Require AWS CloudHSM key origin for AWS KMS keys - Require AWS IAM privileged role permission boundaries - Require AWS KMS grants only for AWS services - Require Block Public Access for S3 Buckets - Require Encryption for EBS Volumes - Require Encryption for Launch Template EBS Volumes - Require IMDSv2 for AWS EC2 instances - Require MFA for AWS IAM root user actions - Require MFA for AWS IAM user actions - Require MFA for AWS S3 bucket versioning configuration changes - Require MFA for AWS SSM Session Manager - Require MFA for delete actions on S3 buckets - Require RSA key length greater than 2048 bits for AWS KMS asymmetric keys - Require Server Side Encryption for S3 Buckets - Require VPC endpoints for AWS DynamoDB access - Require VPC endpoints for AWS S3 access - Require all object uploads to AWS S3 buckets to use server-side encryption with an AWS KMS key (SSE-KMS) - Require an AWS EBS snapshot to be created from an encrypted EC2 volume - Require approved AMI sources for AWS EC2 instances - Require approved AWS Marketplace subscriptions - Require approved sources for AWS ECR container registry - Require approved sources for AWS Lambda layers - Require attribute-based access control for AWS IAM sensitive data access - Require bypass policy lockout safety check for AWS KMS keys - Require code signing for AWS Lambda functions - Require external key store key origin for AWS KMS keys - Require imported key material for AWS KMS keys - Require organization accounts for AWS STS assume role - Require organization-only access for AWS KMS resources - Require that AWS EBS direct APIs are not called - Require that an AWS EBS snapshot cannot be publicly restorable - Require that an attached AWS EBS volume is configured to encrypt data at rest - Set IMDSv2 defaults for AWS EC2 instances - Set comprehensive password policy for AWS IAM - Set minimum password length for AWS IAM password policy - Set password reuse prevention for AWS IAM password policy

oci v5.0.2 - OCI credentials are now redacted in control logs

Thu, 19 Mar 2026 09:00:00 GMT

_Bug fixes_ - Fixed OCI credentials being visible in control logs. Credential fields are now automatically redacted and will appear as `` in process logs. - OCI tenancy and compartment resources will now have the `cloudParentId` set correctly.

oci-storage v5.1.0 - Manage bucket public access and versioning

Thu, 19 Mar 2026 09:00:00 GMT

_Bug fixes_ - Fixed OCI credentials being visible in control logs. Credential fields are now automatically redacted and will appear as `` in process logs. _Control Types_ - OCI > Storage > Bucket > Public Access - OCI > Storage > Bucket > Versioning _Policy Types_ - OCI > Storage > Bucket > Public Access - OCI > Storage > Bucket > Versioning _Action Types_ - OCI > Storage > Bucket > Disable Versioning - OCI > Storage > Bucket > Enable Versioning - OCI > Storage > Bucket > Set Private - OCI > Storage > Bucket > Set Public - Object Read - OCI > Storage > Bucket > Set Public - Object Read Without List - OCI > Storage > Bucket > Set Public Access

OCI mods updated with credential redaction

Thu, 19 Mar 2026 09:00:00 GMT

_Bug fixes_ - The following OCI mods have been updated to redact credentials in control logs. Credential fields will now automatically appear as `` in process logs. - oci-networking `v5.0.1` - oci-compute `v5.0.1` - oci-iam `v5.0.1`

gcp v5.35.1 - Project CMDB control now handles rate limiting and transient errors gracefully

Thu, 19 Mar 2026 09:00:00 GMT

_Bug fixes_ - The `GCP > Project > CMDB` control would sometimes enter an error state due to rate limiting or transient errors. It now properly handles such errors.

azure-prevention v5.0.0 is now available

Thu, 19 Mar 2026 09:00:00 GMT

_What's new?_ _Control Types_ - Azure > Access Review Schedule Definition > Prevention - Azure > Access Review Schedule Definition > Prevention > Discovery - Azure > Authorization Policy > Prevention - Azure > Authorization Policy > Prevention > Discovery - Azure > Conditional Access Policy > Prevention - Azure > Conditional Access Policy > Prevention > Discovery - Azure > Device Registration Policy > Prevention - Azure > Device Registration Policy > Prevention > Discovery - Azure > Group Setting > Prevention - Azure > Group Setting > Prevention > Discovery - Azure > Identity Security Defaults Enforcement Policy > Prevention - Azure > Identity Security Defaults Enforcement Policy > Prevention > Discovery - Azure > Policy Assignment > Built-in Policy Prevention - Azure > Policy Assignment > Built-in Policy Prevention > Discovery - Azure > Policy Assignment > Custom Policy Prevention - Azure > Policy Assignment > Custom Policy Prevention > Discovery - Azure > Subscription > Prevention - Azure > Subscription > Prevention > Discovery - Azure > Subscription Policy > Prevention - Azure > Subscription Policy > Prevention > Discovery - Azure > Tenant > Prevention - Azure > Tenant > Prevention > Discovery _Prevention Types_ - Azure Built-In Policy - Azure Custom Policy - Azure Databricks Cluster Policy - Azure Resource Provider Registration - Azure Subscription Policy - Entra ID Access Review - Entra ID Authentication Methods Policy - Entra ID Authorization Policy - Entra ID Conditional Access Policy - Entra ID Device Registration Policy - Entra ID Group Setting - Entra ID Security Defaults Policy _Prevention Benchmarks_ - Azure CIS v5.0.0 - Azure P1 Preventions

aws-iam v5.48.0 - Tag Guardrails-managed IAM policies

Thu, 19 Mar 2026 09:00:00 GMT

_What's new?_ - Added `AWS > Turbot > Permissions > Policy > Tags` policy to support tagging Guardrails-managed IAM policies. Tags defined in this policy are applied to all IAM policies created by the Guardrails IAM stack. _Policy Types_ - AWS > Turbot > Permissions > Policy > Tags

Azure mods updated with Event Grid support for real-time event handling

Thu, 19 Mar 2026 09:00:00 GMT

_What's new?_ - The following Azure mods have been updated with support for Azure Event Grid–based event handlers to enable real-time event processing. Each mod now includes custom event patterns for its resource types, allowing the `Azure > Turbot > Event Handlers [Event Grid]` control to automatically generate the correct event subscriptions. To get started, set the `Azure > Turbot > Event Handlers [Event Grid]` policy to `Enforce: Configured`. - azure-aks `v5.12.0` - azure-alertsmanagement `v5.1.0` - azure-apimanagement `v5.9.0` - azure-applicationgateway `v5.12.0` - azure-applicationinsights `v5.13.0` - azure-appservice `v5.18.0` - azure-automation `v5.6.0` - azure-botservice `v5.1.0` - azure-cognitiveservices `v5.1.0` - azure-compute `v5.28.0` - azure-containerregistry `v5.8.0` - azure-cosmosdb `v5.14.0` - azure-databricks `v5.9.0` - azure-datafactory `v5.12.0` - azure-dns `v5.13.0` - azure-firewall `v5.12.0` - azure-iam `v5.17.0` - azure-keyvault `v5.21.0` - azure-loadbalancer `v5.12.0` - azure-loganalytics `v5.14.0` - azure-managedidentity `v5.6.0` - azure-monitor `v5.14.0` - azure-mysql `v5.20.0` - azure-network `v5.30.0` - azure-networkwatcher `v5.16.0` - azure-postgresql `v5.22.0` - azure-provider `v5.23.0` - azure-recoveryservice `v5.11.0` - azure-redis `v5.2.0` - azure-relay `v5.7.0` - azure-searchmanagement `v5.13.0` - azure-securitycenter `v5.10.0` - azure-servicebus `v5.7.0` - azure-signalr `v5.7.0` - azure-sql `v5.22.0` - azure-sqlvirtualmachine `v5.5.0` - azure-storage `v5.32.0` - azure-synapseanalytics `v5.15.0` - azure-virtualdesktop `v5.1.0` _Note_ This feature requires `@turbot/azure` v5.36.0 or later and TE v5.55.6 or later. Event Grid support is currently available only in Azure Commercial Cloud (not Gov Cloud).

gcp v5.35.0 - Track and manage organization policy and organization policy constraint resources

Wed, 18 Mar 2026 09:00:00 GMT

_Resource Types_ - GCP > Organization Policy - GCP > Organization Policy Constraint _Control Types_ - GCP > Organization Policy > CMDB - GCP > Organization Policy > Discovery - GCP > Organization Policy Constraint > CMDB - GCP > Organization Policy Constraint > Discovery _Policy Types_ - GCP > Organization Policy > CMDB - GCP > Organization Policy Constraint > CMDB _Action Types_ - GCP > Organization Policy > Router - GCP > Organization Policy Constraint > Router

gcp-prevention v5.0.0 is now available

Wed, 18 Mar 2026 09:00:00 GMT

_What's new?_ _Control Types_ - GCP > Organization Policy > Custom Policy Prevention - GCP > Organization Policy > Custom Policy Prevention > Discovery - GCP > Organization Policy > Predefined Policy Prevention - GCP > Organization Policy > Predefined Policy Prevention > Discovery - GCP > Organization Policy Constraint > Prevention - GCP > Organization Policy Constraint > Prevention > Discovery - GCP > Project > API Enabled Prevention - GCP > Project > API Enabled Prevention > Discovery _Prevention Types_ - GCP API State - GCP Custom Organization Policy - GCP Default Enforced Constraint - GCP Predefined Organization Policy _Prevention Benchmarks_ - GCP CIS v4.0.0 - GCP P1 Preventions

github v5.6.1 - Organization and repository resources now have the correct cloudParentId

Tue, 17 Mar 2026 09:00:00 GMT

_Bug fixes_ - GitHub organization and repository resources will now have the `cloudParentId` set correctly.

github v5.6.0 - Track and manage branch and ruleset resources in Guardrails

Tue, 17 Mar 2026 09:00:00 GMT

_What's new?_ _Resource Types_ - GitHub > Branch - GitHub > Ruleset _Control Types_ - GitHub > Branch > CMDB - GitHub > Branch > Discovery - GitHub > Ruleset > CMDB - GitHub > Ruleset > Discovery _Policy Types_ - GitHub > Branch > CMDB - GitHub > Ruleset > CMDB _Action Types_ - GitHub > Branch > Router - GitHub > Ruleset > Router

github-prevention v5.0.0 is now available

Tue, 17 Mar 2026 09:00:00 GMT

_What's new?_ _Control Types_ - GitHub > Branch > Protection Prevention - GitHub > Branch > Protection Prevention > Discovery - GitHub > Organization > Setting Prevention - GitHub > Organization > Setting Prevention > Discovery - GitHub > Repository > Setting Prevention - GitHub > Repository > Setting Prevention > Discovery - GitHub > Ruleset > Ruleset Prevention - GitHub > Ruleset > Ruleset Prevention > Discovery _Prevention Types_ - GitHub Actions Permission - GitHub Branch Protection - GitHub Branch Ruleset - GitHub Organization Setting - GitHub Repository Setting - GitHub Tag Ruleset _Prevention Benchmarks_ - GitHub CIS v1.1.0 - GitHub P1 Preventions

aws v5.43.5 - Account resource AKAs in CMDB will now be set more reliably

Tue, 17 Mar 2026 09:00:00 GMT

_Bug fixes_ - The AKAs for account resources in CMDB will now be set more reliably by the `AWS > Account > Discovery` control.

aws-bedrock v5.5.0 - Add Bedrock-specific region exceptions for cross-region inference

Mon, 16 Mar 2026 09:00:00 GMT

_What's new?_ - Added `AWS > Bedrock > Permissions > Lockdown > Regions` policy to allow Bedrock-specific region exceptions for cross-region inference. When configured, Bedrock API calls are allowed in both the global lockdown regions and the additional Bedrock-specific regions. _Policy Types_ - AWS > Bedrock > Permissions > Lockdown > Regions - AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-bedrock

azure v5.39.0 - Subscription CMDB data now includes registered resource providers

Fri, 13 Mar 2026 09:00:00 GMT

_What's new?_ - Subscription CMDB data now also includes details of the registered resource providers.

azure v5.38.0 - Added support for Azure Policy resource types and Management Group Activity Log Poller

Thu, 12 Mar 2026 09:00:00 GMT

_Resource Types_ - Azure > Policy Assignment - Azure > Policy Definition - Azure > Policy Set Definition - Azure > Subscription Policy _Control Types_ - Azure > Policy Assignment > Active - Azure > Policy Assignment > CMDB - Azure > Policy Assignment > Discovery - Azure > Policy Definition > Active - Azure > Policy Definition > CMDB - Azure > Policy Definition > Discovery - Azure > Policy Set Definition > CMDB - Azure > Policy Set Definition > Discovery - Azure > Subscription Policy > CMDB - Azure > Subscription Policy > Discovery - Azure > Turbot > Management Group Activity Log Poller _Policy Types_ - Azure > Policy Assignment > Active - Azure > Policy Assignment > Active > Age - Azure > Policy Assignment > Active > Last Modified - Azure > Policy Assignment > CMDB - Azure > Policy Definition > Active - Azure > Policy Definition > Active > Age - Azure > Policy Definition > Active > Last Modified - Azure > Policy Definition > CMDB - Azure > Policy Set Definition > CMDB - Azure > Subscription Policy > CMDB - Azure > Turbot > Management Group Activity Log Poller - Azure > Turbot > Management Group Activity Log Poller > Excluded Events - Azure > Turbot > Management Group Activity Log Poller > Interval - Azure > Turbot > Management Group Activity Log Poller > Window _Action Types_ - Azure > Management Group > Management Group Activity Log Poller - Azure > Management Group > Management Group Event Handler - Azure > Policy Assignment > Delete - Azure > Policy Assignment > Router - Azure > Policy Definition > Delete - Azure > Policy Definition > Router - Azure > Policy Set Definition > Delete - Azure > Policy Set Definition > Router - Azure > Subscription Policy > Router

azure v5.37.0 - Added support for tenant-level identity and access resources

Tue, 10 Mar 2026 09:00:00 GMT

_Resource Types_ - Azure > Access Review Schedule Definition - Azure > Authentication Methods Policy - Azure > Authorization Policy - Azure > Conditional Access Policy - Azure > Device Registration Policy - Azure > Group Setting - Azure > Identity Security Defaults Enforcement Policy _Control Types_ - Azure > Access Review Schedule Definition > CMDB - Azure > Access Review Schedule Definition > Discovery - Azure > Authentication Methods Policy > CMDB - Azure > Authentication Methods Policy > Discovery - Azure > Authorization Policy > CMDB - Azure > Authorization Policy > Discovery - Azure > Conditional Access Policy > CMDB - Azure > Conditional Access Policy > Discovery - Azure > Device Registration Policy > CMDB - Azure > Device Registration Policy > Discovery - Azure > Group Setting > CMDB - Azure > Group Setting > Discovery - Azure > Identity Security Defaults Enforcement Policy > CMDB - Azure > Identity Security Defaults Enforcement Policy > Discovery - Azure > Turbot > Tenant Event Poller _Policy Types_ - Azure > Access Review Schedule Definition > CMDB - Azure > Authentication Methods Policy > CMDB - Azure > Authorization Policy > CMDB - Azure > Conditional Access Policy > CMDB - Azure > Device Registration Policy > CMDB - Azure > Group Setting > CMDB - Azure > Identity Security Defaults Enforcement Policy > CMDB - Azure > Turbot > Tenant Event Poller - Azure > Turbot > Tenant Event Poller > Excluded Events - Azure > Turbot > Tenant Event Poller > Interval - Azure > Turbot > Tenant Event Poller > Window _Action Types_ - Azure > Access Review Schedule Definition > Delete - Azure > Access Review Schedule Definition > Router - Azure > Authentication Methods Policy > Router - Azure > Authorization Policy > Router - Azure > Conditional Access Policy > Delete - Azure > Device Registration Policy > Router - Azure > Group Setting > Delete - Azure > Group Setting > Router - Azure > Identity Security Defaults Enforcement Policy > Router - Azure > Tenant > Event Poller - Azure > Tenant > Tenant Event Handler

aws-vpc-security v5.16.2 - Fixed Security Group Rule CMDB control failing with duplicate AKA constraint violation

Tue, 10 Mar 2026 09:00:00 GMT

_Bug fixes_ - Fixed an issue where the `AWS > VPC > Security Group Rule > CMDB` control could fail with a duplicate AKA constraint violation when security group rules were rapidly deleted and recreated. Security group rules now use the `SecurityGroupRuleId`-based AKA, which is always available and guaranteed to be unique by AWS.

gcp-iam v5.23.1 - Fixed Service Account CMDB control not refreshing on IAM role binding changes

Fri, 06 Mar 2026 09:00:00 GMT

_Bug fixes_ - The `GCP > IAM > Service Account > CMDB` control did not refresh when project-level IAM role bindings changed in GCP. This caused downstream controls to evaluate stale data. This has now been fixed. - The `GCP > IAM > Service Account > Project Role Bindings > Approved` control failed with 409 Conflict errors when multiple service accounts in the same project had unapproved roles. This has now been fixed.

azure v5.36.0 - Real-time event handling via Azure Event Grid

Tue, 03 Mar 2026 09:00:00 GMT

_What's new?_ - Added `Azure > Turbot > Event Handlers [Event Grid]` control for real-time event handling using Azure Event Grid as an alternative to Activity Log Alerts. Supports flexible System Topic management and custom event pattern generation for enabled resource types. To get started, set the `Azure > Turbot > Event Handlers [Event Grid]` policy to `Enforce: Configured`. _Control Types_ - Azure > Turbot > Event Handlers [Event Grid] _Policy Types_ - Azure > Turbot > Event Handlers [Event Grid] - Azure > Turbot > Event Handlers [Event Grid] > Custom Event Patterns - Azure > Turbot > Event Handlers [Event Grid] > Custom Event Patterns > @turbot/azure - Azure > Turbot > Event Handlers [Event Grid] > Event Subscription - Azure > Turbot > Event Handlers [Event Grid] > Event Subscription > Name Prefix - Azure > Turbot > Event Handlers [Event Grid] > Source - Azure > Turbot > Event Handlers [Event Grid] > System Topic - Azure > Turbot > Event Handlers [Event Grid] > System Topic > Name - Azure > Turbot > Event Handlers [Event Grid] > System Topic > Name Prefix - Azure > Turbot > Event Handlers [Event Grid] > System Topic > Resource Group - Azure > Turbot > Event Handlers [Event Grid] > System Topic > Tags - Azure > Turbot > Event Handlers [Event Grid] > System Topic Mode - Azure > Turbot > Event Handlers [Event Grid] > Version _Note_ This feature requires TE v5.55.6 or later and is currently supported only in Azure Commercial Cloud (not Gov Cloud).

aws-ecr v5.16.2 - Image router now correctly evaluates the CMDB policy at the repository level

Mon, 02 Mar 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > ECR > Image > Router` action was incorrectly evaluating the `AWS > ECR > Image > CMDB` policy at the region level instead of the repository level. This caused image resources to be upserted and then immediately deleted when the policy was set to `Enforce: Disabled` or `Skip` at the repository level (e.g., via a Policy Pack). The router now correctly evaluates the policy at the repository level.

aws-ec2 v5.51.3 - Optimized GraphQL queries for multiple EC2 controls and actions

Fri, 27 Feb 2026 09:00:00 GMT

_Bug fixes_ - We've optimized the GraphQL queries for the `AWS > EC2 > Instance > Approved`, `AWS > EC2 > Volume > Approved`, and `AWS > EC2 > Account Attributes > EBS Encryption by Default` controls, and the `AWS > EC2 > Network Interface > Router` action. You won't notice any difference, but they should run a lot lighter now.

aws-ec2 v5.51.2 - Optimized GraphQL queries for Snapshot Approved and Active controls

Thu, 26 Feb 2026 09:00:00 GMT

_Bug fixes_ - We've optimized the GraphQL queries for the `AWS > EC2 > Snapshot > Approved` and `AWS > EC2 > Snapshot > Active` controls. You won't notice any difference, but they should run much more efficiently now.

Turbot Guardrails Enterprise Foundation (TEF) v1.69.0 - Amazon Linux 2023 migration and TLS 1.3 support

Tue, 24 Feb 2026 09:00:00 GMT

_What's new?_ - Added support for additional EC2 instance types: R6a, R6g, R7a, and R7i. - The default operating system for EC2 hosts has been upgraded to Amazon Linux 2023, with updated container image paths and startup configuration to match. - Network load balancers and API endpoints now support TLS 1.3 for stronger encryption.

Turbot Guardrails Enterprise (TE) v5.55.5 - Improved materialization performance

Tue, 24 Feb 2026 09:00:00 GMT

_What's new?_ - Server - Improved materialization performance by preventing controls from blocking on in-progress policy evaluations. _Requirements_ - Upgrade to `5.55.5` requires your workspace to be on `5.54.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.69.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-networkwatcher v5.15.0 - Manage tags for Network Watcher Flow Log resources

Mon, 23 Feb 2026 09:00:00 GMT

_What's new?_ - Users can now create and manage tags for flow log resources. To get started, set the `Azure > Network Watcher > Flow Log > Tags > *` policies. _Control Types_ - Azure > Network Watcher > Flow Log > Allowed - Azure > Network Watcher > Flow Log > Allowed > Custom - Azure > Network Watcher > Flow Log > Tags - Azure > Network Watcher > Network Watcher > Allowed - Azure > Network Watcher > Network Watcher > Allowed > Custom - Azure > Network Watcher > Network Watcher > Allowed > Region _Policy Types_ - Azure > Network Watcher > Allowed Regions [Default] - Azure > Network Watcher > Flow Log > Allowed - Azure > Network Watcher > Flow Log > Allowed > Custom - Azure > Network Watcher > Flow Log > Allowed > Custom > Rules - Azure > Network Watcher > Flow Log > Tags - Azure > Network Watcher > Flow Log > Tags > Template - Azure > Network Watcher > Network Watcher > Allowed - Azure > Network Watcher > Network Watcher > Allowed > Custom - Azure > Network Watcher > Network Watcher > Allowed > Custom > Rules - Azure > Network Watcher > Network Watcher > Allowed > Region - Azure > Network Watcher > Network Watcher > Allowed > Region > Regions _Action Types_ - Azure > Network Watcher > Flow Log > Set Tags

azure-monitor v5.13.0 - Track and manage data collection endpoint resources in Guardrails

Mon, 23 Feb 2026 09:00:00 GMT

_Resource Types_ - Azure > Monitor > Data Collection Endpoint _Control Types_ - Azure > Monitor > Action Group > Allowed - Azure > Monitor > Action Group > Allowed > Custom - Azure > Monitor > Alerts > Allowed - Azure > Monitor > Alerts > Allowed > Custom - Azure > Monitor > Data Collection Endpoint > Active - Azure > Monitor > Data Collection Endpoint > Allowed - Azure > Monitor > Data Collection Endpoint > Allowed > Custom - Azure > Monitor > Data Collection Endpoint > Allowed > Region - Azure > Monitor > Data Collection Endpoint > CMDB - Azure > Monitor > Data Collection Endpoint > Discovery - Azure > Monitor > Data Collection Endpoint > Tags - Azure > Monitor > Log Profile > Allowed - Azure > Monitor > Log Profile > Allowed > Custom - Azure > Monitor > Metric Alert > Allowed - Azure > Monitor > Metric Alert > Allowed > Custom _Policy Types_ - Azure > Monitor > Action Group > Allowed - Azure > Monitor > Action Group > Allowed > Custom - Azure > Monitor > Action Group > Allowed > Custom > Rules - Azure > Monitor > Alerts > Allowed - Azure > Monitor > Alerts > Allowed > Custom - Azure > Monitor > Alerts > Allowed > Custom > Rules - Azure > Monitor > Allowed Regions [Default] - Azure > Monitor > Approved Regions [Default] - Azure > Monitor > Data Collection Endpoint > Active - Azure > Monitor > Data Collection Endpoint > Active > Age - Azure > Monitor > Data Collection Endpoint > Active > Last Modified - Azure > Monitor > Data Collection Endpoint > Allowed - Azure > Monitor > Data Collection Endpoint > Allowed > Custom - Azure > Monitor > Data Collection Endpoint > Allowed > Custom > Rules - Azure > Monitor > Data Collection Endpoint > Allowed > Region - Azure > Monitor > Data Collection Endpoint > Allowed > Region > Regions - Azure > Monitor > Data Collection Endpoint > CMDB - Azure > Monitor > Data Collection Endpoint > Regions - Azure > Monitor > Data Collection Endpoint > Tags - Azure > Monitor > Data Collection Endpoint > Tags > Template - Azure > Monitor > Log Profile > Allowed - Azure > Monitor > Log Profile > Allowed > Custom - Azure > Monitor > Log Profile > Allowed > Custom > Rules - Azure > Monitor > Metric Alert > Allowed - Azure > Monitor > Metric Alert > Allowed > Custom - Azure > Monitor > Metric Alert > Allowed > Custom > Rules - Azure > Monitor > Regions _Action Types_ - Azure > Monitor > Data Collection Endpoint > Delete - Azure > Monitor > Data Collection Endpoint > Router - Azure > Monitor > Data Collection Endpoint > Set Tags

azure-cognitiveservices v5.0.0 is now available

Mon, 23 Feb 2026 09:00:00 GMT

_Resource Types_ - Azure > Cognitive Services - Azure > Cognitive Services > Account _Control Types_ - Azure > Cognitive Services > Account > Active - Azure > Cognitive Services > Account > Allowed - Azure > Cognitive Services > Account > Allowed > Custom - Azure > Cognitive Services > Account > Allowed > Region - Azure > Cognitive Services > Account > CMDB - Azure > Cognitive Services > Account > Discovery - Azure > Cognitive Services > Account > Tags _Policy Types_ - Azure > Cognitive Services > Account > Active - Azure > Cognitive Services > Account > Active > Age - Azure > Cognitive Services > Account > Active > Last Modified - Azure > Cognitive Services > Account > Allowed - Azure > Cognitive Services > Account > Allowed > Custom - Azure > Cognitive Services > Account > Allowed > Custom > Rules - Azure > Cognitive Services > Account > Allowed > Region - Azure > Cognitive Services > Account > Allowed > Region > Regions - Azure > Cognitive Services > Account > CMDB - Azure > Cognitive Services > Account > Regions - Azure > Cognitive Services > Account > Tags - Azure > Cognitive Services > Account > Tags > Template - Azure > Cognitive Services > Allowed Regions [Default] - Azure > Cognitive Services > Approved Regions [Default] - Azure > Cognitive Services > Enabled - Azure > Cognitive Services > Permissions - Azure > Cognitive Services > Permissions > Levels - Azure > Cognitive Services > Permissions > Levels > Modifiers - Azure > Cognitive Services > Regions - Azure > Cognitive Services > Tags Template [Default] - Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-cognitiveservices - Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-cognitiveservices _Action Types_ - Azure > Cognitive Services > Account > Delete - Azure > Cognitive Services > Account > Router - Azure > Cognitive Services > Account > Set Tags

azure-botservice v5.0.0 is now available

Mon, 23 Feb 2026 09:00:00 GMT

_Resource Types_ - Azure > Bot Service - Azure > Bot Service > Bot _Control Types_ - Azure > Bot Service > Bot > Active - Azure > Bot Service > Bot > Allowed - Azure > Bot Service > Bot > Allowed > Custom - Azure > Bot Service > Bot > Allowed > Region - Azure > Bot Service > Bot > CMDB - Azure > Bot Service > Bot > Discovery - Azure > Bot Service > Bot > Tags _Policy Types_ - Azure > Bot Service > Allowed Regions [Default] - Azure > Bot Service > Approved Regions [Default] - Azure > Bot Service > Bot > Active - Azure > Bot Service > Bot > Active > Age - Azure > Bot Service > Bot > Active > Last Modified - Azure > Bot Service > Bot > Allowed - Azure > Bot Service > Bot > Allowed > Custom - Azure > Bot Service > Bot > Allowed > Custom > Rules - Azure > Bot Service > Bot > Allowed > Region - Azure > Bot Service > Bot > Allowed > Region > Regions - Azure > Bot Service > Bot > CMDB - Azure > Bot Service > Bot > Regions - Azure > Bot Service > Bot > Tags - Azure > Bot Service > Bot > Tags > Template - Azure > Bot Service > Enabled - Azure > Bot Service > Permissions - Azure > Bot Service > Permissions > Levels - Azure > Bot Service > Permissions > Levels > Modifiers - Azure > Bot Service > Regions - Azure > Bot Service > Tags Template [Default] - Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-botservice - Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-botservice _Action Types_ - Azure > Bot Service > Bot > Delete - Azure > Bot Service > Bot > Router - Azure > Bot Service > Bot > Set Tags

azure-appservice v5.17.0 - Track and manage connection resources in Guardrails

Mon, 23 Feb 2026 09:00:00 GMT

_Resource Types_ - Azure > App Service > Connection _Control Types_ - Azure > App Service > App Service Plan > Allowed - Azure > App Service > App Service Plan > Allowed > Custom - Azure > App Service > App Service Plan > Allowed > Region - Azure > App Service > Connection > Active - Azure > App Service > Connection > Allowed - Azure > App Service > Connection > Allowed > Custom - Azure > App Service > Connection > Allowed > Region - Azure > App Service > Connection > CMDB - Azure > App Service > Connection > Discovery - Azure > App Service > Connection > Tags - Azure > App Service > Function App > Allowed - Azure > App Service > Function App > Allowed > Custom - Azure > App Service > Function App > Allowed > Region - Azure > App Service > Web App > Allowed - Azure > App Service > Web App > Allowed > Custom - Azure > App Service > Web App > Allowed > Region _Policy Types_ - Azure > App Service > Allowed Regions [Default] - Azure > App Service > App Service Plan > Allowed - Azure > App Service > App Service Plan > Allowed > Custom - Azure > App Service > App Service Plan > Allowed > Custom > Rules - Azure > App Service > App Service Plan > Allowed > Region - Azure > App Service > App Service Plan > Allowed > Region > Regions - Azure > App Service > Connection > Active - Azure > App Service > Connection > Active > Age - Azure > App Service > Connection > Active > Last Modified - Azure > App Service > Connection > Allowed - Azure > App Service > Connection > Allowed > Custom - Azure > App Service > Connection > Allowed > Custom > Rules - Azure > App Service > Connection > Allowed > Region - Azure > App Service > Connection > Allowed > Region > Regions - Azure > App Service > Connection > CMDB - Azure > App Service > Connection > Regions - Azure > App Service > Connection > Tags - Azure > App Service > Connection > Tags > Template - Azure > App Service > Function App > Allowed - Azure > App Service > Function App > Allowed > Custom - Azure > App Service > Function App > Allowed > Custom > Rules - Azure > App Service > Function App > Allowed > Region - Azure > App Service > Function App > Allowed > Region > Regions - Azure > App Service > Web App > Allowed - Azure > App Service > Web App > Allowed > Custom - Azure > App Service > Web App > Allowed > Custom > Rules - Azure > App Service > Web App > Allowed > Region - Azure > App Service > Web App > Allowed > Region > Regions _Action Types_ - Azure > App Service > Connection > Delete - Azure > App Service > Connection > Router - Azure > App Service > Connection > Set Tags

azure-alertsmanagement v5.0.0 is now available

Mon, 23 Feb 2026 09:00:00 GMT

_Resource Types_ - Azure > Alerts Management - Azure > Alerts Management > Smart Detector Alert Rule _Control Types_ - Azure > Alerts Management > Smart Detector Alert Rule > Active - Azure > Alerts Management > Smart Detector Alert Rule > Allowed - Azure > Alerts Management > Smart Detector Alert Rule > Allowed > Custom - Azure > Alerts Management > Smart Detector Alert Rule > CMDB - Azure > Alerts Management > Smart Detector Alert Rule > Discovery - Azure > Alerts Management > Smart Detector Alert Rule > Tags _Policy Types_ - Azure > Alerts Management > Allowed Regions [Default] - Azure > Alerts Management > Approved Regions [Default] - Azure > Alerts Management > Enabled - Azure > Alerts Management > Permissions - Azure > Alerts Management > Permissions > Levels - Azure > Alerts Management > Permissions > Levels > Modifiers - Azure > Alerts Management > Regions - Azure > Alerts Management > Smart Detector Alert Rule > Active - Azure > Alerts Management > Smart Detector Alert Rule > Active > Age - Azure > Alerts Management > Smart Detector Alert Rule > Active > Last Modified - Azure > Alerts Management > Smart Detector Alert Rule > Active > Status - Azure > Alerts Management > Smart Detector Alert Rule > Allowed - Azure > Alerts Management > Smart Detector Alert Rule > Allowed > Custom - Azure > Alerts Management > Smart Detector Alert Rule > Allowed > Custom > Rules - Azure > Alerts Management > Smart Detector Alert Rule > CMDB - Azure > Alerts Management > Smart Detector Alert Rule > Regions - Azure > Alerts Management > Smart Detector Alert Rule > Tags - Azure > Alerts Management > Smart Detector Alert Rule > Tags > Template - Azure > Alerts Management > Tags Template [Default] - Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-alertsmanagement - Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-alertsmanagement _Action Types_ - Azure > Alerts Management > Smart Detector Alert Rule > Delete - Azure > Alerts Management > Smart Detector Alert Rule > Router - Azure > Alerts Management > Smart Detector Alert Rule > Set Tags

oci-networking v5.0.0 is now available

Wed, 18 Feb 2026 09:00:00 GMT

_Resource Types_ - OCI > Networking - OCI > Networking > DRG - OCI > Networking > Internet Gateway - OCI > Networking > Load Balancer - OCI > Networking > NAT Gateway - OCI > Networking > Network Security Group - OCI > Networking > Route Table - OCI > Networking > Security List - OCI > Networking > Service Gateway - OCI > Networking > Subnet - OCI > Networking > VCN _Control Types_ - OCI > Networking > DRG > Allowed - OCI > Networking > DRG > Allowed > Custom - OCI > Networking > DRG > Allowed > Region - OCI > Networking > DRG > CMDB - OCI > Networking > DRG > Defined Tags - OCI > Networking > DRG > Discovery - OCI > Networking > DRG > Freeform Tags - OCI > Networking > Internet Gateway > Allowed - OCI > Networking > Internet Gateway > Allowed > Custom - OCI > Networking > Internet Gateway > Allowed > Region - OCI > Networking > Internet Gateway > CMDB - OCI > Networking > Internet Gateway > Defined Tags - OCI > Networking > Internet Gateway > Discovery - OCI > Networking > Internet Gateway > Freeform Tags - OCI > Networking > Load Balancer > Allowed - OCI > Networking > Load Balancer > Allowed > Custom - OCI > Networking > Load Balancer > Allowed > Region - OCI > Networking > Load Balancer > CMDB - OCI > Networking > Load Balancer > Defined Tags - OCI > Networking > Load Balancer > Discovery - OCI > Networking > Load Balancer > Freeform Tags - OCI > Networking > NAT Gateway > Allowed - OCI > Networking > NAT Gateway > Allowed > Custom - OCI > Networking > NAT Gateway > Allowed > Region - OCI > Networking > NAT Gateway > CMDB - OCI > Networking > NAT Gateway > Defined Tags - OCI > Networking > NAT Gateway > Discovery - OCI > Networking > NAT Gateway > Freeform Tags - OCI > Networking > Network Security Group > Allowed - OCI > Networking > Network Security Group > Allowed > Custom - OCI > Networking > Network Security Group > Allowed > Region - OCI > Networking > Network Security Group > CMDB - OCI > Networking > Network Security Group > Defined Tags - OCI > Networking > Network Security Group > Discovery - OCI > Networking > Network Security Group > Freeform Tags - OCI > Networking > Route Table > Allowed - OCI > Networking > Route Table > Allowed > Custom - OCI > Networking > Route Table > Allowed > Region - OCI > Networking > Route Table > CMDB - OCI > Networking > Route Table > Defined Tags - OCI > Networking > Route Table > Discovery - OCI > Networking > Route Table > Freeform Tags - OCI > Networking > Security List > Allowed - OCI > Networking > Security List > Allowed > Custom - OCI > Networking > Security List > Allowed > Region - OCI > Networking > Security List > CMDB - OCI > Networking > Security List > Defined Tags - OCI > Networking > Security List > Discovery - OCI > Networking > Security List > Freeform Tags - OCI > Networking > Service Gateway > Allowed - OCI > Networking > Service Gateway > Allowed > Custom - OCI > Networking > Service Gateway > Allowed > Region - OCI > Networking > Service Gateway > CMDB - OCI > Networking > Service Gateway > Defined Tags - OCI > Networking > Service Gateway > Discovery - OCI > Networking > Service Gateway > Freeform Tags - OCI > Networking > Subnet > Allowed - OCI > Networking > Subnet > Allowed > Custom - OCI > Networking > Subnet > Allowed > Region - OCI > Networking > Subnet > CMDB - OCI > Networking > Subnet > Defined Tags - OCI > Networking > Subnet > Discovery - OCI > Networking > Subnet > Freeform Tags - OCI > Networking > VCN > Allowed - OCI > Networking > VCN > Allowed > Custom - OCI > Networking > VCN > Allowed > Region - OCI > Networking > VCN > CMDB - OCI > Networking > VCN > Defined Tags - OCI > Networking > VCN > Discovery - OCI > Networking > VCN > Freeform Tags _Policy Types_ - OCI > Networking > Allowed Regions [Default] - OCI > Networking > DRG > Allowed - OCI > Networking > DRG > Allowed > Custom - OCI > Networking > DRG > Allowed > Custom > Rules - OCI > Networking > DRG > Allowed > Region - OCI > Networking > DRG > Allowed > Region > Regions - OCI > Networking > DRG > CMDB - OCI > Networking > DRG > Defined Tags - OCI > Networking > DRG > Defined Tags > Template - OCI > Networking > DRG > Freeform Tags - OCI > Networking > DRG > Freeform Tags > Template - OCI > Networking > Internet Gateway > Allowed - OCI > Networking > Internet Gateway > Allowed > Custom - OCI > Networking > Internet Gateway > Allowed > Custom > Rules - OCI > Networking > Internet Gateway > Allowed > Region - OCI > Networking > Internet Gateway > Allowed > Region > Regions - OCI > Networking > Internet Gateway > CMDB - OCI > Networking > Internet Gateway > Defined Tags - OCI > Networking > Internet Gateway > Defined Tags > Template - OCI > Networking > Internet Gateway > Freeform Tags - OCI > Networking > Internet Gateway > Freeform Tags > Template - OCI > Networking > Load Balancer > Allowed - OCI > Networking > Load Balancer > Allowed > Custom - OCI > Networking > Load Balancer > Allowed > Custom > Rules - OCI > Networking > Load Balancer > Allowed > Region - OCI > Networking > Load Balancer > Allowed > Region > Regions - OCI > Networking > Load Balancer > CMDB - OCI > Networking > Load Balancer > Defined Tags - OCI > Networking > Load Balancer > Defined Tags > Template - OCI > Networking > Load Balancer > Freeform Tags - OCI > Networking > Load Balancer > Freeform Tags > Template - OCI > Networking > NAT Gateway > Allowed - OCI > Networking > NAT Gateway > Allowed > Custom - OCI > Networking > NAT Gateway > Allowed > Custom > Rules - OCI > Networking > NAT Gateway > Allowed > Region - OCI > Networking > NAT Gateway > Allowed > Region > Regions - OCI > Networking > NAT Gateway > CMDB - OCI > Networking > NAT Gateway > Defined Tags - OCI > Networking > NAT Gateway > Defined Tags > Template - OCI > Networking > NAT Gateway > Freeform Tags - OCI > Networking > NAT Gateway > Freeform Tags > Template - OCI > Networking > Network Security Group > Allowed - OCI > Networking > Network Security Group > Allowed > Custom - OCI > Networking > Network Security Group > Allowed > Custom > Rules - OCI > Networking > Network Security Group > Allowed > Region - OCI > Networking > Network Security Group > Allowed > Region > Regions - OCI > Networking > Network Security Group > CMDB - OCI > Networking > Network Security Group > Defined Tags - OCI > Networking > Network Security Group > Defined Tags > Template - OCI > Networking > Network Security Group > Freeform Tags - OCI > Networking > Network Security Group > Freeform Tags > Template - OCI > Networking > Regions - OCI > Networking > Route Table > Allowed - OCI > Networking > Route Table > Allowed > Custom - OCI > Networking > Route Table > Allowed > Custom > Rules - OCI > Networking > Route Table > Allowed > Region - OCI > Networking > Route Table > Allowed > Region > Regions - OCI > Networking > Route Table > CMDB - OCI > Networking > Route Table > Defined Tags - OCI > Networking > Route Table > Defined Tags > Template - OCI > Networking > Route Table > Freeform Tags - OCI > Networking > Route Table > Freeform Tags > Template - OCI > Networking > Security List > Allowed - OCI > Networking > Security List > Allowed > Custom - OCI > Networking > Security List > Allowed > Custom > Rules - OCI > Networking > Security List > Allowed > Region - OCI > Networking > Security List > Allowed > Region > Regions - OCI > Networking > Security List > CMDB - OCI > Networking > Security List > Defined Tags - OCI > Networking > Security List > Defined Tags > Template - OCI > Networking > Security List > Freeform Tags - OCI > Networking > Security List > Freeform Tags > Template - OCI > Networking > Service Gateway > Allowed - OCI > Networking > Service Gateway > Allowed > Custom - OCI > Networking > Service Gateway > Allowed > Custom > Rules - OCI > Networking > Service Gateway > Allowed > Region - OCI > Networking > Service Gateway > Allowed > Region > Regions - OCI > Networking > Service Gateway > CMDB - OCI > Networking > Service Gateway > Defined Tags - OCI > Networking > Service Gateway > Defined Tags > Template - OCI > Networking > Service Gateway > Freeform Tags - OCI > Networking > Service Gateway > Freeform Tags > Template - OCI > Networking > Subnet > Allowed - OCI > Networking > Subnet > Allowed > Custom - OCI > Networking > Subnet > Allowed > Custom > Rules - OCI > Networking > Subnet > Allowed > Region - OCI > Networking > Subnet > Allowed > Region > Regions - OCI > Networking > Subnet > CMDB - OCI > Networking > Subnet > Defined Tags - OCI > Networking > Subnet > Defined Tags > Template - OCI > Networking > Subnet > Freeform Tags - OCI > Networking > Subnet > Freeform Tags > Template - OCI > Networking > VCN > Allowed - OCI > Networking > VCN > Allowed > Custom - OCI > Networking > VCN > Allowed > Custom > Rules - OCI > Networking > VCN > Allowed > Region - OCI > Networking > VCN > Allowed > Region > Regions - OCI > Networking > VCN > CMDB - OCI > Networking > VCN > Defined Tags - OCI > Networking > VCN > Defined Tags > Template - OCI > Networking > VCN > Freeform Tags - OCI > Networking > VCN > Freeform Tags > Template _Action Types_ - OCI > Networking > DRG > Router - OCI > Networking > DRG > Update Defined Tags - OCI > Networking > DRG > Update Freeform Tags - OCI > Networking > Internet Gateway > Router - OCI > Networking > Internet Gateway > Update Defined Tags - OCI > Networking > Internet Gateway > Update Freeform Tags - OCI > Networking > Load Balancer > Router - OCI > Networking > Load Balancer > Update Defined Tags - OCI > Networking > Load Balancer > Update Freeform Tags - OCI > Networking > NAT Gateway > Router - OCI > Networking > NAT Gateway > Update Defined Tags - OCI > Networking > NAT Gateway > Update Freeform Tags - OCI > Networking > Network Security Group > Router - OCI > Networking > Network Security Group > Update Defined Tags - OCI > Networking > Network Security Group > Update Freeform Tags - OCI > Networking > Route Table > Router - OCI > Networking > Route Table > Update Defined Tags - OCI > Networking > Route Table > Update Freeform Tags - OCI > Networking > Security List > Router - OCI > Networking > Security List > Update Defined Tags - OCI > Networking > Security List > Update Freeform Tags - OCI > Networking > Service Gateway > Router - OCI > Networking > Service Gateway > Update Defined Tags - OCI > Networking > Service Gateway > Update Freeform Tags - OCI > Networking > Subnet > Router - OCI > Networking > Subnet > Update Defined Tags - OCI > Networking > Subnet > Update Freeform Tags - OCI > Networking > VCN > Router - OCI > Networking > VCN > Update Defined Tags - OCI > Networking > VCN > Update Freeform Tags

aws-sagemaker v5.15.0 - App CMDB control no longer enters error state due to duplicate AKAs

Wed, 18 Feb 2026 09:00:00 GMT

_Bug fixes_ - Guardrails previously upserted SageMaker Apps into the CMDB using inconsistent AKA formats between Discovery and CMDB controls. This occasionally caused the `AWS > SageMaker > App > CMDB` control to enter an error state due to duplicate AKAs. We have improved AKA generation to ensure Apps are now upserted more reliably and correctly. _Control Types_ - AWS > SageMaker > Code Repository > Allowed - AWS > SageMaker > Code Repository > Allowed > Custom - AWS > SageMaker > Code Repository > Allowed > Region - AWS > SageMaker > Domain > Allowed - AWS > SageMaker > Domain > Allowed > Custom - AWS > SageMaker > Domain > Allowed > Region - AWS > SageMaker > Endpoint > Allowed - AWS > SageMaker > Endpoint > Allowed > Custom - AWS > SageMaker > Endpoint > Allowed > Region - AWS > SageMaker > Endpoint Configuration > Allowed - AWS > SageMaker > Endpoint Configuration > Allowed > Custom - AWS > SageMaker > Endpoint Configuration > Allowed > Region - AWS > SageMaker > Lifecycle Configuration > Allowed - AWS > SageMaker > Lifecycle Configuration > Allowed > Custom - AWS > SageMaker > Lifecycle Configuration > Allowed > Region - AWS > SageMaker > Model > Allowed - AWS > SageMaker > Model > Allowed > Custom - AWS > SageMaker > Model > Allowed > Region - AWS > SageMaker > Notebook Instance > Allowed - AWS > SageMaker > Notebook Instance > Allowed > Custom - AWS > SageMaker > Notebook Instance > Allowed > Region - AWS > SageMaker > Training Job > Allowed - AWS > SageMaker > Training Job > Allowed > Custom - AWS > SageMaker > Training Job > Allowed > Region _Policy Types_ - AWS > SageMaker > Code Repository > Allowed - AWS > SageMaker > Code Repository > Allowed > Custom - AWS > SageMaker > Code Repository > Allowed > Custom > Rules - AWS > SageMaker > Code Repository > Allowed > Region - AWS > SageMaker > Code Repository > Allowed > Region > Regions - AWS > SageMaker > Domain > Allowed - AWS > SageMaker > Domain > Allowed > Custom - AWS > SageMaker > Domain > Allowed > Custom > Rules - AWS > SageMaker > Domain > Allowed > Region - AWS > SageMaker > Domain > Allowed > Region > Regions - AWS > SageMaker > Endpoint > Allowed - AWS > SageMaker > Endpoint > Allowed > Custom - AWS > SageMaker > Endpoint > Allowed > Custom > Rules - AWS > SageMaker > Endpoint > Allowed > Region - AWS > SageMaker > Endpoint > Allowed > Region > Regions - AWS > SageMaker > Endpoint Configuration > Allowed - AWS > SageMaker > Endpoint Configuration > Allowed > Custom - AWS > SageMaker > Endpoint Configuration > Allowed > Custom > Rules - AWS > SageMaker > Endpoint Configuration > Allowed > Region - AWS > SageMaker > Endpoint Configuration > Allowed > Region > Regions - AWS > SageMaker > Lifecycle Configuration > Allowed - AWS > SageMaker > Lifecycle Configuration > Allowed > Custom - AWS > SageMaker > Lifecycle Configuration > Allowed > Custom > Rules - AWS > SageMaker > Lifecycle Configuration > Allowed > Region - AWS > SageMaker > Lifecycle Configuration > Allowed > Region > Regions - AWS > SageMaker > Model > Allowed - AWS > SageMaker > Model > Allowed > Custom - AWS > SageMaker > Model > Allowed > Custom > Rules - AWS > SageMaker > Model > Allowed > Region - AWS > SageMaker > Model > Allowed > Region > Regions - AWS > SageMaker > Notebook Instance > Allowed - AWS > SageMaker > Notebook Instance > Allowed > Custom - AWS > SageMaker > Notebook Instance > Allowed > Custom > Rules - AWS > SageMaker > Notebook Instance > Allowed > Region - AWS > SageMaker > Notebook Instance > Allowed > Region > Regions - AWS > SageMaker > Training Job > Allowed - AWS > SageMaker > Training Job > Allowed > Custom - AWS > SageMaker > Training Job > Allowed > Custom > Rules - AWS > SageMaker > Training Job > Allowed > Region - AWS > SageMaker > Training Job > Allowed > Region > Regions

gcp-iam v5.23.0 - IAM role bindings enforcement now works correctly on projects with conditional bindings

Tue, 17 Feb 2026 09:00:00 GMT

_Bug fixes_ - The approved controls for `GCP > IAM > Service Account > Project Role Bindings`, `GCP > IAM > Service Account > Role Bindings`, and `GCP > IAM > Project User > Role Bindings` previously failed to delete unapproved role bindings on projects or service accounts with conditional IAM bindings. This has now been fixed, and enforcement and delete actions will work as expected. _Control Types_ - GCP > IAM > API Key > Allowed - GCP > IAM > API Key > Allowed > Custom - GCP > IAM > Project User > Allowed - GCP > IAM > Project User > Allowed > Custom - GCP > IAM > Service Account > Allowed - GCP > IAM > Service Account > Allowed > Custom - GCP > IAM > Service Account Key > Allowed - GCP > IAM > Service Account Key > Allowed > Custom _Policy Types_ - GCP > IAM > API Key > Allowed - GCP > IAM > API Key > Allowed > Custom - GCP > IAM > API Key > Allowed > Custom > Rules - GCP > IAM > Project User > Allowed - GCP > IAM > Project User > Allowed > Custom - GCP > IAM > Project User > Allowed > Custom > Rules - GCP > IAM > Service Account > Allowed - GCP > IAM > Service Account > Allowed > Custom - GCP > IAM > Service Account > Allowed > Custom > Rules - GCP > IAM > Service Account Key > Allowed - GCP > IAM > Service Account Key > Allowed > Custom - GCP > IAM > Service Account Key > Allowed > Custom > Rules

azure-provider v5.22.0 - Track and manage Alerts Management resource providers in Guardrails

Tue, 17 Feb 2026 09:00:00 GMT

_Resource Types_ - Azure > Provider > Alerts Management _Control Types_ - Azure > Provider > Alerts Management > CMDB - Azure > Provider > Alerts Management > Discovery - Azure > Provider > Alerts Management > Registered _Policy Types_ - Azure > Provider > Alerts Management > CMDB - Azure > Provider > Alerts Management > Registered _Action Types_ - Azure > Provider > Alerts Management > Set Registered

oci-governance v5.0.0 is now available

Mon, 16 Feb 2026 09:00:00 GMT

_Resource Types_ - OCI > Governance - OCI > Governance > Tag Default - OCI > Governance > Tag Definition - OCI > Governance > Tag Namespace _Control Types_ - OCI > Governance > Tag Default > CMDB - OCI > Governance > Tag Default > Discovery - OCI > Governance > Tag Definition > Allowed - OCI > Governance > Tag Definition > Allowed > Custom - OCI > Governance > Tag Definition > CMDB - OCI > Governance > Tag Definition > Discovery - OCI > Governance > Tag Namespace > Allowed - OCI > Governance > Tag Namespace > Allowed > Custom - OCI > Governance > Tag Namespace > CMDB - OCI > Governance > Tag Namespace > Discovery _Policy Types_ - OCI > Governance > Tag Default > CMDB - OCI > Governance > Tag Definition > Allowed - OCI > Governance > Tag Definition > Allowed > Custom - OCI > Governance > Tag Definition > Allowed > Custom > Rules - OCI > Governance > Tag Definition > CMDB - OCI > Governance > Tag Namespace > Allowed - OCI > Governance > Tag Namespace > Allowed > Custom - OCI > Governance > Tag Namespace > Allowed > Custom > Rules - OCI > Governance > Tag Namespace > CMDB _Action Types_ - OCI > Governance > Tag Default > Router - OCI > Governance > Tag Definition > Router - OCI > Governance > Tag Namespace > Router _Note_ To ensure compatibility and proper functioning of the mod, please upgrade TE to v5.57.0 or higher.

azure-provider v5.21.0 - Track and manage Bot Service and Data Box resource providers in Guardrails

Mon, 16 Feb 2026 09:00:00 GMT

_Resource Types_ - Azure > Provider > Bot Service - Azure > Provider > Data Box _Control Types_ - Azure > Provider > Bot Service > CMDB - Azure > Provider > Bot Service > Discovery - Azure > Provider > Bot Service > Registered - Azure > Provider > Data Box > CMDB - Azure > Provider > Data Box > Discovery - Azure > Provider > Data Box > Registered _Policy Types_ - Azure > Provider > Bot Service > CMDB - Azure > Provider > Bot Service > Registered - Azure > Provider > Data Box > CMDB - Azure > Provider > Data Box > Registered _Action Types_ - Azure > Provider > Bot Service > Set Registered - Azure > Provider > Data Box > Set Registered

oci v5.0.1 - Compartment CMDB control will no longer fail to remove deleted compartments

Fri, 13 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `OCI > Compartment > CMDB` control previously failed to remove deleted compartments from Guardrails. The control now correctly handles OCI lifecycle states, deleting resources in the `DELETED` state and scheduling a re-run for transitioning states (`CREATING`, `DELETING`).

oci-iam v5.0.0 is now available

Thu, 12 Feb 2026 09:00:00 GMT

_Resource Types_ - OCI > IAM - OCI > IAM > API Key - OCI > IAM > Auth Token - OCI > IAM > Customer Secret Key - OCI > IAM > DB Credential - OCI > IAM > Dynamic Group - OCI > IAM > Group - OCI > IAM > OAuth Client Credential - OCI > IAM > Policy - OCI > IAM > SMTP Credential - OCI > IAM > User _Control Types_ - OCI > IAM > API Key > Allowed - OCI > IAM > API Key > Allowed > Custom - OCI > IAM > API Key > CMDB - OCI > IAM > API Key > Discovery - OCI > IAM > Auth Token > Allowed - OCI > IAM > Auth Token > Allowed > Custom - OCI > IAM > Auth Token > CMDB - OCI > IAM > Auth Token > Discovery - OCI > IAM > Customer Secret Key > Allowed - OCI > IAM > Customer Secret Key > Allowed > Custom - OCI > IAM > Customer Secret Key > CMDB - OCI > IAM > Customer Secret Key > Discovery - OCI > IAM > DB Credential > Allowed - OCI > IAM > DB Credential > Allowed > Custom - OCI > IAM > DB Credential > CMDB - OCI > IAM > DB Credential > Discovery - OCI > IAM > Dynamic Group > Allowed - OCI > IAM > Dynamic Group > Allowed > Custom - OCI > IAM > Dynamic Group > CMDB - OCI > IAM > Dynamic Group > Defined Tags - OCI > IAM > Dynamic Group > Discovery - OCI > IAM > Dynamic Group > Freeform Tags - OCI > IAM > Group > Allowed - OCI > IAM > Group > Allowed > Custom - OCI > IAM > Group > CMDB - OCI > IAM > Group > Defined Tags - OCI > IAM > Group > Discovery - OCI > IAM > Group > Freeform Tags - OCI > IAM > OAuth Client Credential > Allowed - OCI > IAM > OAuth Client Credential > Allowed > Custom - OCI > IAM > OAuth Client Credential > CMDB - OCI > IAM > OAuth Client Credential > Discovery - OCI > IAM > Policy > Allowed - OCI > IAM > Policy > Allowed > Custom - OCI > IAM > Policy > CMDB - OCI > IAM > Policy > Defined Tags - OCI > IAM > Policy > Discovery - OCI > IAM > Policy > Freeform Tags - OCI > IAM > SMTP Credential > Allowed - OCI > IAM > SMTP Credential > Allowed > Custom - OCI > IAM > SMTP Credential > CMDB - OCI > IAM > SMTP Credential > Discovery - OCI > IAM > User > Allowed - OCI > IAM > User > Allowed > Custom - OCI > IAM > User > CMDB - OCI > IAM > User > Defined Tags - OCI > IAM > User > Discovery - OCI > IAM > User > Freeform Tags _Policy Types_ - OCI > IAM > API Key > Allowed - OCI > IAM > API Key > Allowed > Custom - OCI > IAM > API Key > Allowed > Custom > Rules - OCI > IAM > API Key > CMDB - OCI > IAM > Auth Token > Allowed - OCI > IAM > Auth Token > Allowed > Custom - OCI > IAM > Auth Token > Allowed > Custom > Rules - OCI > IAM > Auth Token > CMDB - OCI > IAM > Customer Secret Key > Allowed - OCI > IAM > Customer Secret Key > Allowed > Custom - OCI > IAM > Customer Secret Key > Allowed > Custom > Rules - OCI > IAM > Customer Secret Key > CMDB - OCI > IAM > DB Credential > Allowed - OCI > IAM > DB Credential > Allowed > Custom - OCI > IAM > DB Credential > Allowed > Custom > Rules - OCI > IAM > DB Credential > CMDB - OCI > IAM > Dynamic Group > Allowed - OCI > IAM > Dynamic Group > Allowed > Custom - OCI > IAM > Dynamic Group > Allowed > Custom > Rules - OCI > IAM > Dynamic Group > CMDB - OCI > IAM > Dynamic Group > Defined Tags - OCI > IAM > Dynamic Group > Defined Tags > Template - OCI > IAM > Dynamic Group > Freeform Tags - OCI > IAM > Dynamic Group > Freeform Tags > Template - OCI > IAM > Group > Allowed - OCI > IAM > Group > Allowed > Custom - OCI > IAM > Group > Allowed > Custom > Rules - OCI > IAM > Group > CMDB - OCI > IAM > Group > Defined Tags - OCI > IAM > Group > Defined Tags > Template - OCI > IAM > Group > Freeform Tags - OCI > IAM > Group > Freeform Tags > Template - OCI > IAM > OAuth Client Credential > Allowed - OCI > IAM > OAuth Client Credential > Allowed > Custom - OCI > IAM > OAuth Client Credential > Allowed > Custom > Rules - OCI > IAM > OAuth Client Credential > CMDB - OCI > IAM > Policy > Allowed - OCI > IAM > Policy > Allowed > Custom - OCI > IAM > Policy > Allowed > Custom > Rules - OCI > IAM > Policy > CMDB - OCI > IAM > Policy > Defined Tags - OCI > IAM > Policy > Defined Tags > Template - OCI > IAM > Policy > Freeform Tags - OCI > IAM > Policy > Freeform Tags > Template - OCI > IAM > SMTP Credential > Allowed - OCI > IAM > SMTP Credential > Allowed > Custom - OCI > IAM > SMTP Credential > Allowed > Custom > Rules - OCI > IAM > SMTP Credential > CMDB - OCI > IAM > User > Allowed - OCI > IAM > User > Allowed > Custom - OCI > IAM > User > Allowed > Custom > Rules - OCI > IAM > User > CMDB - OCI > IAM > User > Defined Tags - OCI > IAM > User > Defined Tags > Template - OCI > IAM > User > Freeform Tags - OCI > IAM > User > Freeform Tags > Template _Action Types_ - OCI > IAM > API Key > Router - OCI > IAM > Auth Token > Router - OCI > IAM > Customer Secret Key > Router - OCI > IAM > DB Credential > Router - OCI > IAM > Dynamic Group > Router - OCI > IAM > Dynamic Group > Update Defined Tags - OCI > IAM > Dynamic Group > Update Freeform Tags - OCI > IAM > Group > Router - OCI > IAM > Group > Update Defined Tags - OCI > IAM > Group > Update Freeform Tags - OCI > IAM > OAuth Client Credential > Router - OCI > IAM > Policy > Router - OCI > IAM > Policy > Update Defined Tags - OCI > IAM > Policy > Update Freeform Tags - OCI > IAM > SMTP Credential > Router - OCI > IAM > User > Router - OCI > IAM > User > Update Defined Tags - OCI > IAM > User > Update Freeform Tags _Note_ To ensure compatibility and proper functioning of the mod, please upgrade TE to v5.57.0 or higher.

azure-cisv5-0 v5.0.1 - Fixed title inconsistencies in section 7 control and policy types

Thu, 12 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed title inconsistencies in section 7 control and policy types. _Control Types_ _Renamed_ - `Azure > CIS v5.0 > 7 - Networking Services > 7.08 Ensure that virtual network flow log retention days is set to greater than or equal to 90` to `Azure > CIS v5.0 > 7 - Networking Services > 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90` _Policy Types_ _Renamed_ - `Azure > CIS v5.0 > 7 - Networking Services > 7 - Maximum Attestation Duration` to `Azure > CIS v5.0 > 7 - Networking Services > Maximum Attestation Duration`

azure-cisv5-0 v5.0.0 is now available

Wed, 11 Feb 2026 09:00:00 GMT

_Control Types_ - Azure > CIS v5.0 - Azure > CIS v5.0 > 2 - Analytics Services - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.02 - Ensure that network security groups are configured for Databricks subnets - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.03 - Ensure that traffic is encrypted between cluster worker nodes - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.05 - Ensure that Unity Catalog is configured for Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.08 - Ensure critical data in Azure Databricks is encrypted with customer-managed keys (CMK) - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.09 - Ensure 'No Public IP' is set to 'Enabled' - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.10 - Ensure 'Allow Public Network Access' is set to 'Disabled' - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.11 - Ensure private endpoints are used to access Azure Databricks workspaces - Azure > CIS v5.0 > 3 - Compute Services - Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines - Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine - Azure > CIS v5.0 > 5 - Identity Services - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.01 - Ensure that 'trusted locations' are defined - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.03 - Ensure that an exclusionary Device code flow policy is considered - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.04 - Ensure that a multifactor authentication policy exists for all users - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.05 - Ensure that multifactor authentication is required for risky sign-ins - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.08 - Ensure a Token Protection Conditional Access policy is considered - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.01 - Ensure that Azure admin accounts are not used for daily operations - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.02 - Ensure that guest users are reviewed on a regular basis - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.03 - Ensure that use of the 'User Access Administrator' role is restricted - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.06 - Ensure 'Tenant Creator' role assignments are periodically reviewed - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.07 - Ensure all non-privileged role assignments are periodically reviewed - Azure > CIS v5.0 > 5 - Identity Services > 5.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.05 - Ensure that 'Number of methods required to reset' is set to '2' - Azure > CIS v5.0 > 5 - Identity Services > 5.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' - Azure > CIS v5.0 > 5 - Identity Services > 5.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' - Azure > CIS v5.0 > 5 - Identity Services > 5.08 - Ensure that a 'Custom banned password list' is set to 'Enforce' - Azure > CIS v5.0 > 5 - Identity Services > 5.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v5.0 > 5 - Identity Services > 5.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent' - Azure > CIS v5.0 > 5 - Identity Services > 5.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' - Azure > CIS v5.0 > 5 - Identity Services > 5.14 - Ensure that 'Users can register applications' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Azure > CIS v5.0 > 5 - Identity Services > 5.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]' - Azure > CIS v5.0 > 5 - Identity Services > 5.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.23 - Ensure That No Custom Subscription Administrator Roles Exist - Azure > CIS v5.0 > 5 - Identity Services > 5.24 - Ensure that a custom role is assigned permissions for administering resource locks - Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' - Azure > CIS v5.0 > 5 - Identity Services > 5.26 - Ensure fewer than 5 users have global administrator assignment - Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners - Azure > CIS v5.0 > 5 - Identity Services > 5.28 - Ensure passwordless authentication methods are considered - Azure > CIS v5.0 > 6 - Management and Governance Services - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with customer-managed key (CMK) - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.11 - Ensure that an Activity Log Alert exists for Service Health - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights > 6.01.03.01 - Ensure Application Insights are Configured - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources - Azure > CIS v5.0 > 7 - Networking Services - Azure > CIS v5.0 > 7 - Networking Services > 7.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90 - Azure > CIS v5.0 > 7 - Networking Services > 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use - Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis - Azure > CIS v5.0 > 7 - Networking Services > 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90 - Azure > CIS v5.0 > 7 - Networking Services > 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration - Azure > CIS v5.0 > 7 - Networking Services > 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.11 - Ensure subnets are associated with network security groups - Azure > CIS v5.0 > 7 - Networking Services > 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources - Azure > CIS v5.0 > 8 - Security Services - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM) - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 8.01.01.01 - Ensure Microsoft Defender CSPM is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs > 8.01.02.01 - Ensure Microsoft Defender for APIs is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.01 - Ensure that Defender for Servers is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers > 8.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service > 8.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault > 8.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager > 8.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.12 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT - Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.05 - Ensure 'Purge protection' is set to 'Enabled' - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.07 - Ensure Public Network Access is Disabled - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.08 - Ensure Private Endpoints are used to access Azure Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.11 - Ensure certificate 'Validity Period (in months)' is less than or equal to '12' - Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion - Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion > 8.04.01 - Ensure an Azure Bastion Host Exists - Azure > CIS v5.0 > 8 - Security Services > 8.05 - Ensure Azure DDoS Network Protection is enabled on virtual networks - Azure > CIS v5.0 > 9 - Storage Services - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.01 - Ensure soft delete for Azure File Shares is Enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.02 - Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.03 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.03 - Ensure default network access rule for storage accounts is set to deny - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management > 9.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.06 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.07 - Ensure 'Cross Tenant Replication' is not enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.08 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.11 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts _Policy Types_ - Azure > CIS v5.0 - Azure > CIS v5.0 > 2 - Analytics Services - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.02 - Ensure that network security groups are configured for Databricks subnets - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.02 - Ensure that network security groups are configured for Databricks subnets > Attestation - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.03 - Ensure that traffic is encrypted between cluster worker nodes - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.03 - Ensure that traffic is encrypted between cluster worker nodes > Attestation - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks > Attestation - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.05 - Ensure that Unity Catalog is configured for Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.05 - Ensure that Unity Catalog is configured for Azure Databricks > Attestation - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens > Attestation - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks > Attestation - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.08 - Ensure critical data in Azure Databricks is encrypted with customer-managed keys (CMK) - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.09 - Ensure 'No Public IP' is set to 'Enabled' - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.10 - Ensure 'Allow Public Network Access' is set to 'Disabled' - Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.11 - Ensure private endpoints are used to access Azure Databricks workspaces - Azure > CIS v5.0 > 2 - Analytics Services > Maximum Attestation Duration - Azure > CIS v5.0 > 3 - Compute Services - Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines - Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine - Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation - Azure > CIS v5.0 > 3 - Compute Services > Maximum Attestation Duration - Azure > CIS v5.0 > 5 - Identity Services - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled - Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.01 - Ensure that 'trusted locations' are defined - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.03 - Ensure that an exclusionary Device code flow policy is considered - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.03 - Ensure that an exclusionary Device code flow policy is considered > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.04 - Ensure that a multifactor authentication policy exists for all users - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.04 - Ensure that a multifactor authentication policy exists for all users > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.05 - Ensure that multifactor authentication is required for risky sign-ins - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.05 - Ensure that multifactor authentication is required for risky sign-ins > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.08 - Ensure a Token Protection Conditional Access policy is considered - Azure > CIS v5.0 > 5 - Identity Services > 5.02 - Conditional Access > 5.02.08 - Ensure a Token Protection Conditional Access policy is considered > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.01 - Ensure that Azure admin accounts are not used for daily operations - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.01 - Ensure that Azure admin accounts are not used for daily operations > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.02 - Ensure that guest users are reviewed on a regular basis - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.03 - Ensure that use of the 'User Access Administrator' role is restricted - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.05 - Ensure disabled user accounts do not have read, write, or owner permissions > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.06 - Ensure 'Tenant Creator' role assignments are periodically reviewed - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.06 - Ensure 'Tenant Creator' role assignments are periodically reviewed > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.07 - Ensure all non-privileged role assignments are periodically reviewed - Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.07 - Ensure all non-privileged role assignments are periodically reviewed > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.05 - Ensure that 'Number of methods required to reset' is set to '2' - Azure > CIS v5.0 > 5 - Identity Services > 5.05 - Ensure that 'Number of methods required to reset' is set to '2' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' - Azure > CIS v5.0 > 5 - Identity Services > 5.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' - Azure > CIS v5.0 > 5 - Identity Services > 5.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.08 - Ensure that a 'Custom banned password list' is set to 'Enforce' - Azure > CIS v5.0 > 5 - Identity Services > 5.08 - Ensure that a 'Custom banned password list' is set to 'Enforce' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v5.0 > 5 - Identity Services > 5.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent' - Azure > CIS v5.0 > 5 - Identity Services > 5.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' - Azure > CIS v5.0 > 5 - Identity Services > 5.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.14 - Ensure that 'Users can register applications' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Azure > CIS v5.0 > 5 - Identity Services > 5.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]' - Azure > CIS v5.0 > 5 - Identity Services > 5.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v5.0 > 5 - Identity Services > 5.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' - Azure > CIS v5.0 > 5 - Identity Services > 5.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.23 - Ensure That No Custom Subscription Administrator Roles Exist - Azure > CIS v5.0 > 5 - Identity Services > 5.24 - Ensure that a custom role is assigned permissions for administering resource locks - Azure > CIS v5.0 > 5 - Identity Services > 5.24 - Ensure that a custom role is assigned permissions for administering resource locks > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' - Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.26 - Ensure fewer than 5 users have global administrator assignment - Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners - Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners > Attestation - Azure > CIS v5.0 > 5 - Identity Services > 5.28 - Ensure passwordless authentication methods are considered - Azure > CIS v5.0 > 5 - Identity Services > 5.28 - Ensure passwordless authentication methods are considered > Attestation - Azure > CIS v5.0 > 5 - Identity Services > Maximum Attestation Duration - Azure > CIS v5.0 > 6 - Management and Governance Services - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with customer-managed key (CMK) - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics > Attestation - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination > Attestation - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination > Attestation - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics > Attestation - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.11 - Ensure that an Activity Log Alert exists for Service Health - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights > 6.01.03.01 - Ensure Application Insights are Configured - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources - Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation - Azure > CIS v5.0 > 6 - Management and Governance Services > Maximum Attestation Duration - Azure > CIS v5.0 > 7 - Networking Services - Azure > CIS v5.0 > 7 - Networking Services > Maximum Attestation Duration - Azure > CIS v5.0 > 7 - Networking Services > 7.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90 - Azure > CIS v5.0 > 7 - Networking Services > 7.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use - Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis - Azure > CIS v5.0 > 7 - Networking Services > 7.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation - Azure > CIS v5.0 > 7 - Networking Services > 7.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90 - Azure > CIS v5.0 > 7 - Networking Services > 7.09 - Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration - Azure > CIS v5.0 > 7 - Networking Services > 7.10 - Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.11 - Ensure subnets are associated with network security groups - Azure > CIS v5.0 > 7 - Networking Services > 7.12 - Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.13 - Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.14 - Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.15 - Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway - Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources - Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources > Attestation - Azure > CIS v5.0 > 8 - Security Services - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM) - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 8.01.01.01 - Ensure Microsoft Defender CSPM is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.02 - Defender Plan: APIs > 8.01.02.01 - Ensure Microsoft Defender for APIs is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.01 - Ensure that Defender for Servers is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.03 - Defender Plan: Servers > 8.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers > 8.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.05 - Defender Plan: Storage > 8.01.05.02 - Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.06 - Defender Plan: App Service > 8.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.07 - Defender Plan: Databases > 8.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.08 - Defender Plan: Key Vault > 8.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.09 - Defender Plan: Resource Manager > 8.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.11 - Ensure That Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.12 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT - Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v5.0 > 8 - Security Services > 8.02 - Microsoft Defender for IoT > 8.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.05 - Ensure 'Purge protection' is set to 'Enabled' - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.07 - Ensure Public Network Access is Disabled - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.08 - Ensure Private Endpoints are used to access Azure Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required > Attestation - Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.11 - Ensure certificate 'Validity Period (in months)' is less than or equal to '12' - Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion - Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion > 8.04.01 - Ensure an Azure Bastion Host Exists - Azure > CIS v5.0 > 8 - Security Services > 8.05 - Ensure Azure DDoS Network Protection is enabled on virtual networks - Azure > CIS v5.0 > 8 - Security Services > Maximum Attestation Duration - Azure > CIS v5.0 > 9 - Storage Services - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.01 - Ensure soft delete for Azure File Shares is Enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares - Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.02 - Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.03 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.03 - Ensure default network access rule for storage accounts is set to deny - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management > 9.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.06 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.07 - Ensure 'Cross Tenant Replication' is not enabled - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.08 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts > Attestation - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts > Attestation - Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.11 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts - Azure > CIS v5.0 > 9 - Storage Services > Maximum Attestation Duration - Azure > CIS v5.0 > Maximum Attestation Duration _Note_ This mod requires `@turbot/azure-storage` v5.31.0 or higher for the Storage Services (Section 9) controls to function correctly.

aws-sns v5.20.1 - Encryption at Rest control now correctly skips Guardrails-managed SNS topics

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > SNS > Topic > Encryption at Rest` control now correctly skips Guardrails-managed SNS topics created by the Event Handlers stack. Previously, when encryption was set to Enforce, the control would repeatedly attempt to update the `KmsMasterKeyId` attribute on these topics, conflicting with the Event Handler stack and causing a loop of `SetTopicAttributes` CloudTrail events.

aws-pciv3-2-1 v5.1.2 - Fixed mod installation failure and policy mappings in various control types

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`. - Fixed policy mappings in various control types.

aws-cisv6-0 v5.0.1 - Fixed mod installation failure by adding missing peer dependency

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`.

aws-cisv5-0 v5.0.1 - Fixed mod installation failure by adding missing peer dependency

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`.

aws-cisv4-0 v5.0.1 - Fixed mod installation failure by adding missing peer dependency

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`.

aws-cisv3-0 v5.0.9 - Fixed mod installation failure by adding missing peer dependency

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`.

aws-cisv2-0 v5.0.7 - Fixed mod installation failure by adding missing peer dependency

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`.

aws-cisv1 v5.0.12 - Fixed mod installation failure by adding missing peer dependency

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`.

aws-cisv1-4 v5.0.11 - Fixed mod installation failure by adding missing peer dependency

Wed, 11 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed mod installation failure by adding `@turbot/aws-vpc-connect` peer dependency required by `aws-vpc-security 5.16.1`.

Turbot Guardrails Enterprise (TE) v5.57.0 - OCI tenancy import and automatic mod dependency resolution

Mon, 09 Feb 2026 09:00:00 GMT

_What's new?_ - Server - Added support for importing OCI (Oracle Cloud Infrastructure) tenancies into Guardrails, including connectivity testing to validate credentials before import. - Added automatic dependency resolution for mod installation. - UI - Added an OCI tenancy import wizard to the cloud services import flow, guiding users through credential configuration and connectivity testing. _Requirements_ - Upgrade to `5.57.0` requires your workspace to be on `5.55.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.57.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-cisv4-0 v5.0.1 - Fixed various CIS v4.0 controls that were in error state or requiring manual attestation

Mon, 09 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is enabled` control would go into an error state when the `blobDeleteRetentionPolicy` property was `null` for FileStorage accounts. This is now fixed. - The `06.02.06`, `06.02.07`, and `06.26` controls now automatically evaluate compliance instead of requiring manual attestation. Their default policy values were corrected from `Check: Benchmark using attestation` to `Check: Benchmark`.

aws v5.43.4 - CMDB control for account now gracefully handles missing account credentials in organization imports

Mon, 09 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > Account > CMDB` control previously entered an error state for accounts upserted into the Guardrails CMDB as part of an AWS organization when Guardrails lacked permission to retrieve account-specific details. The control now gracefully handles missing account credentials by skipping account-specific API calls while still populating organization-level data. We recommend upgrading your workspace TE version to 5.57.0 or later to ensure this behavior works as expected. - The `AWS > Account > Discovery` control previously entered an error state on workspaces running TE versions earlier than 5.56.0 due to incorrect GraphQL query dependencies. This issue has been resolved, and the control now works as expected.

aws-ec2 v5.51.1 - AMI CMDB control will no longer enter an error state due to a missing AWS SDK dependency

Mon, 09 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > EC2 > AMI > CMDB` control would go into an error state due to a missing AWS SDK dependency. This is now fixed.

Turbot Guardrails Enterprise (TE) v5.55.3 - Resolved hanging issue when attaching multiple policy packs

Fri, 06 Feb 2026 09:00:00 GMT

_Bug fixes_ - Server - Fixed an issue that could cause policy pack attachments to hang when attaching multiple policy packs to a resource. _Requirements_ - Upgrade to `5.55.3` requires your workspace to be on `5.54.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.54.14 - Resolved hanging issue when attaching multiple policy packs

Fri, 06 Feb 2026 09:00:00 GMT

_Bug fixes_ - Server - Fixed an issue that could cause policy pack attachments to hang when attaching multiple policy packs to a resource. _Notes_ - Versions `5.54.15`, `5.54.16`, and `5.54.17` include version bumps only and contain no additional functional changes beyond those listed in `5.54.14`. _Requirements_ - Upgrade to `5.54.12` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.54.13 - Policy value mode materialization fix

Fri, 06 Feb 2026 09:00:00 GMT

_Bug fixes_ - Server - Policy values now use the correct mode when they’re materialized. _Requirements_ - Upgrade to `5.54.12` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-cisv3-0 v5.0.3 - Fixed various CIS v3.0 controls stuck in TBD state

Fri, 06 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server` control would get stuck in a TBD state. This is now fixed. - The `Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled` control would get stuck in a TBD state. This is now fixed. - The `Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server` control would get stuck in a TBD state. This is now fixed. - The `Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'` control would get stuck in a TBD state. This is now fixed. - The `Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server` control would incorrectly target PostgreSQL Flexible Server. This is now fixed. - The `Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server` control would incorrectly target PostgreSQL Flexible Server. This is now fixed.

azure-cisv2-0 v5.2.2 - Fixed CIS v2.0 logging and monitoring control error when referenced storage account does not exist

Fri, 06 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key` control would go into an error state when the storage account referenced in the log profile did not exist. This is now fixed.

aws-ec2 v5.51.0 - CMDB data for instances now includes AMI details

Fri, 06 Feb 2026 09:00:00 GMT

_What's new?_ - CMDB data for instances now also includes details of the AMIs associated with those instances.

Turbot Guardrails Enterprise (TE) v5.55.2 - Policy value mode materialization fix

Thu, 05 Feb 2026 09:00:00 GMT

_Bug fixes_ - Server - Policy values now use the correct mode when they're materialized. _Requirements_ - Upgrade to `5.55.2` requires your workspace to be on `5.54.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

oci-compute v5.0.0 is now available

Thu, 05 Feb 2026 09:00:00 GMT

_Resource Types_ - OCI > Compute - OCI > Compute > Instance _Control Types_ - OCI > Compute > Instance > Allowed - OCI > Compute > Instance > Allowed > Custom - OCI > Compute > Instance > Allowed > Region - OCI > Compute > Instance > CMDB - OCI > Compute > Instance > Defined Tags - OCI > Compute > Instance > Discovery - OCI > Compute > Instance > Freeform Tags _Policy Types_ - OCI > Compute > Allowed Regions [Default] - OCI > Compute > Instance > Allowed - OCI > Compute > Instance > Allowed > Custom - OCI > Compute > Instance > Allowed > Custom > Rules - OCI > Compute > Instance > Allowed > Region - OCI > Compute > Instance > Allowed > Region > Regions - OCI > Compute > Instance > CMDB - OCI > Compute > Instance > Defined Tags - OCI > Compute > Instance > Defined Tags > Template - OCI > Compute > Instance > Freeform Tags - OCI > Compute > Instance > Freeform Tags > Template - OCI > Compute > Regions _Action Types_ - OCI > Compute > Instance > Router - OCI > Compute > Instance > Update Defined Tags - OCI > Compute > Instance > Update Freeform Tags _Note_ To ensure compatibility and proper functioning of the mod, please upgrade TE to v5.57.0 or higher.

gcp v5.34.1 - CMDB control for project will no longer enter an error state for workspaces on TE v5.55.0 or lower

Thu, 05 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `GCP > Project > CMDB` control entered an error state on workspaces running TE versions earlier than 5.56.0 due to an inadvertent bug in the GraphQL input query introduced in the previous version of the mod. This issue has been fixed, and the control now works as expected.

azure v5.35.2 - CMDB control for subscription will no longer enter an error state for workspaces on TE v5.55.0 or lower

Thu, 05 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `Azure > Subscription > CMDB` control entered an error state on workspaces running TE versions earlier than 5.56.0 due to an inadvertent bug in the GraphQL input query introduced in the previous version of the mod. This issue has been fixed, and the control now works as expected.

azure v5.35.1 - Fixed an issue where deleted Azure Resource Groups could still appear in Guardrails

Thu, 05 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed an issue where deleted Azure Resource Groups could still appear in Guardrails. The `Azure > Resource Group > CMDB` control now automatically refreshes every 24 hours to ensure deleted resources are properly removed.

aws v5.43.3 - Deprecated the Organization CMDB Exclude policy

Thu, 05 Feb 2026 09:00:00 GMT

_Policy Types_ _Renamed_ - `AWS > Organization > CMDB > Exclude` to `AWS > Organization > CMDB > Exclude [Deprecated]`

oci v5.0.0 is now available

Tue, 03 Feb 2026 09:00:00 GMT

_Resource Types_ - OCI - OCI > Compartment - OCI > Region - OCI > Tenancy _Control Types_ - OCI > Compartment > CMDB - OCI > Compartment > Defined Tags - OCI > Compartment > Discovery - OCI > Compartment > Freeform Tags - OCI > Region > Discovery - OCI > Tenancy > CMDB - OCI > Turbot - OCI > Turbot > Event Poller _Policy Types_ - OCI > Compartment > CMDB - OCI > Compartment > Defined Tags - OCI > Compartment > Defined Tags > Template - OCI > Compartment > Freeform Tags - OCI > Compartment > Freeform Tags > Template - OCI > Config - OCI > Config > Fingerprint - OCI > Config > Home Region - OCI > Config > Private Key - OCI > Config > Tenancy OCID - OCI > Config > User OCID - OCI > Login Names - OCI > Region > CMDB - OCI > Tenancy > Allowed Regions [Default] - OCI > Tenancy > CMDB - OCI > Tenancy > Defined Tags Template [Default] - OCI > Tenancy > Freeform Tags Template [Default] - OCI > Tenancy > Regions - OCI > Tenancy > Tags Template [Default] - OCI > Turbot - OCI > Turbot > Event Poller - OCI > Turbot > Event Poller > Excluded Events - OCI > Turbot > Event Poller > Interval - OCI > Turbot > Event Poller > Window _Action Types_ - OCI > Compartment > Router - OCI > Compartment > Update Defined Tags - OCI > Compartment > Update Freeform Tags - OCI > Tenancy > Event Handler _Note_ To ensure compatibility and proper functioning of the mod, please upgrade TE to v5.57.0 or higher.

oci-storage v5.0.0 is now available

Tue, 03 Feb 2026 09:00:00 GMT

_Resource Types_ - OCI > Storage - OCI > Storage > Block Volume - OCI > Storage > Boot Volume - OCI > Storage > Bucket - OCI > Storage > File System - OCI > Storage > Mount Target _Control Types_ - OCI > Storage > Block Volume > Allowed - OCI > Storage > Block Volume > Allowed > Custom - OCI > Storage > Block Volume > Allowed > Region - OCI > Storage > Block Volume > CMDB - OCI > Storage > Block Volume > Defined Tags - OCI > Storage > Block Volume > Discovery - OCI > Storage > Block Volume > Freeform Tags - OCI > Storage > Boot Volume > Allowed - OCI > Storage > Boot Volume > Allowed > Custom - OCI > Storage > Boot Volume > Allowed > Region - OCI > Storage > Boot Volume > CMDB - OCI > Storage > Boot Volume > Defined Tags - OCI > Storage > Boot Volume > Discovery - OCI > Storage > Boot Volume > Freeform Tags - OCI > Storage > Bucket > Allowed - OCI > Storage > Bucket > Allowed > Custom - OCI > Storage > Bucket > Allowed > Region - OCI > Storage > Bucket > CMDB - OCI > Storage > Bucket > Defined Tags - OCI > Storage > Bucket > Discovery - OCI > Storage > Bucket > Freeform Tags - OCI > Storage > File System > Allowed - OCI > Storage > File System > Allowed > Custom - OCI > Storage > File System > Allowed > Region - OCI > Storage > File System > CMDB - OCI > Storage > File System > Defined Tags - OCI > Storage > File System > Discovery - OCI > Storage > File System > Freeform Tags - OCI > Storage > Mount Target > Allowed - OCI > Storage > Mount Target > Allowed > Custom - OCI > Storage > Mount Target > Allowed > Region - OCI > Storage > Mount Target > CMDB - OCI > Storage > Mount Target > Defined Tags - OCI > Storage > Mount Target > Discovery - OCI > Storage > Mount Target > Freeform Tags _Policy Types_ - OCI > Storage > Allowed Regions [Default] - OCI > Storage > Block Volume > Allowed - OCI > Storage > Block Volume > Allowed > Custom - OCI > Storage > Block Volume > Allowed > Custom > Rules - OCI > Storage > Block Volume > Allowed > Region - OCI > Storage > Block Volume > Allowed > Region > Regions - OCI > Storage > Block Volume > CMDB - OCI > Storage > Block Volume > Defined Tags - OCI > Storage > Block Volume > Defined Tags > Template - OCI > Storage > Block Volume > Freeform Tags - OCI > Storage > Block Volume > Freeform Tags > Template - OCI > Storage > Boot Volume > Allowed - OCI > Storage > Boot Volume > Allowed > Custom - OCI > Storage > Boot Volume > Allowed > Custom > Rules - OCI > Storage > Boot Volume > Allowed > Region - OCI > Storage > Boot Volume > Allowed > Region > Regions - OCI > Storage > Boot Volume > CMDB - OCI > Storage > Boot Volume > Defined Tags - OCI > Storage > Boot Volume > Defined Tags > Template - OCI > Storage > Boot Volume > Freeform Tags - OCI > Storage > Boot Volume > Freeform Tags > Template - OCI > Storage > Bucket > Allowed - OCI > Storage > Bucket > Allowed > Custom - OCI > Storage > Bucket > Allowed > Custom > Rules - OCI > Storage > Bucket > Allowed > Region - OCI > Storage > Bucket > Allowed > Region > Regions - OCI > Storage > Bucket > CMDB - OCI > Storage > Bucket > Defined Tags - OCI > Storage > Bucket > Defined Tags > Template - OCI > Storage > Bucket > Freeform Tags - OCI > Storage > Bucket > Freeform Tags > Template - OCI > Storage > File System > Allowed - OCI > Storage > File System > Allowed > Custom - OCI > Storage > File System > Allowed > Custom > Rules - OCI > Storage > File System > Allowed > Region - OCI > Storage > File System > Allowed > Region > Regions - OCI > Storage > File System > CMDB - OCI > Storage > File System > Defined Tags - OCI > Storage > File System > Defined Tags > Template - OCI > Storage > File System > Freeform Tags - OCI > Storage > File System > Freeform Tags > Template - OCI > Storage > Mount Target > Allowed - OCI > Storage > Mount Target > Allowed > Custom - OCI > Storage > Mount Target > Allowed > Custom > Rules - OCI > Storage > Mount Target > Allowed > Region - OCI > Storage > Mount Target > Allowed > Region > Regions - OCI > Storage > Mount Target > CMDB - OCI > Storage > Mount Target > Defined Tags - OCI > Storage > Mount Target > Defined Tags > Template - OCI > Storage > Mount Target > Freeform Tags - OCI > Storage > Mount Target > Freeform Tags > Template - OCI > Storage > Regions _Action Types_ - OCI > Storage > Block Volume > Router - OCI > Storage > Block Volume > Update Defined Tags - OCI > Storage > Block Volume > Update Freeform Tags - OCI > Storage > Boot Volume > Router - OCI > Storage > Boot Volume > Update Defined Tags - OCI > Storage > Boot Volume > Update Freeform Tags - OCI > Storage > Bucket > Router - OCI > Storage > Bucket > Update Defined Tags - OCI > Storage > Bucket > Update Freeform Tags - OCI > Storage > File System > Router - OCI > Storage > File System > Update Defined Tags - OCI > Storage > File System > Update Freeform Tags - OCI > Storage > Mount Target > Router - OCI > Storage > Mount Target > Update Defined Tags - OCI > Storage > Mount Target > Update Freeform Tags _Note_ To ensure compatibility and proper functioning of the mod, please upgrade TE to v5.57.0 or higher.

azure-cisv4-0 v5.0.0 is now available

Tue, 03 Feb 2026 09:00:00 GMT

_Control Types_ - Azure > CIS v4.0 - Azure > CIS v4.0 > 02 - Common Reference Recommendations - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service} - Azure > CIS v4.0 > 03 - Analytics Services - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.02 - Ensure that network security groups are configured for Databricks subnets - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.03 - Ensure that traffic is encrypted between cluster worker nodes - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.05 - Ensure that Unity Catalog is configured for Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.08 - Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) - Azure > CIS v4.0 > 04 - Compute Services - Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines - Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine - Azure > CIS v4.0 > 06 - Identity Services - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.01 - Ensure that 'trusted locations' are defined - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure that an exclusionary device code flow policy is considered - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.02 - Ensure that guest users are reviewed on a regular basis - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.03 - Ensure that use of the 'User Access Administrator' role is restricted - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed - Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure that 'Number of methods required to reset' is set to '2' - Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure that account 'Lockout threshold' is less than or equal to '10' - Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' - Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure that a 'Custom banned password list' is set to 'Enforce' - Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure that 'User consent for applications' is set to 'Do not allow user consent' - Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' - Azure > CIS v4.0 > 06 - Identity Services > 06.14 - Ensure that 'Users can register applications' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' - Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.23 - Ensure that no custom subscription administrator roles exist - Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure that a custom role is assigned permissions for administering resource locks - Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' - Azure > CIS v4.0 > 06 - Identity Services > 06.26 - Ensure fewer than 5 users have global administrator assignment - Azure > CIS v4.0 > 07 - Management and Governance - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.11 - Ensure that Activity Log Alert exists for Service Health - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights > 07.01.03.01 - Ensure Application Insights are Configured - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources - Azure > CIS v4.0 > 08 - Networking - Azure > CIS v4.0 > 08 - Networking > 08.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Azure > CIS v4.0 > 08 - Networking > 08.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use - Azure > CIS v4.0 > 08 - Networking > 08.07 - Ensure that Public IP addresses are evaluated on a periodic basis - Azure > CIS v4.0 > 08 - Networking > 08.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90 - Azure > CIS v4.0 > 09 - Security Services - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.01 - Ensure that Defender for Servers is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers > 09.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage > 09.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service > 09.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault > 09.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager > 09.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.12 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.17 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT - Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT > 09.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.05 - Ensure the Key Vault is Recoverable - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.07 - Ensure that Public Network Access when using Private Endpoint is disabled - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.08 - Ensure that Private Endpoints are Used for Azure Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required - Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion - Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion > 09.04.01 - Ensure an Azure Bastion Host Exists - Azure > CIS v4.0 > 10 - Storage Services - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.01 - Ensure soft delete for Azure File Shares is Enabled - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares - Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage - Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled - Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.02 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.02 - Ensure that Storage Account access keys are periodically regenerated - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.03 - Ensure default network access rule for storage accounts is set to deny - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management > 10.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.06 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.07 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.08 - Ensure 'Cross Tenant Replication' is not enabled - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.09 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.12 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts _Policy Types_ - Azure > CIS v4.0 - Azure > CIS v4.0 > 02 - Common Reference Recommendations - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK) > Attestation - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK) > Attestation - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled > Attestation - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default > Attestation - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service} - Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service} > Attestation - Azure > CIS v4.0 > 02 - Common Reference Recommendations > Maximum Attestation Duration - Azure > CIS v4.0 > 03 - Analytics Services - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.01 - Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.02 - Ensure that network security groups are configured for Databricks subnets - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.02 - Ensure that network security groups are configured for Databricks subnets > Attestation - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.03 - Ensure that traffic is encrypted between cluster worker nodes - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.03 - Ensure that traffic is encrypted between cluster worker nodes > Attestation - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.04 - Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks > Attestation - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.05 - Ensure that Unity Catalog is configured for Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.05 - Ensure that Unity Catalog is configured for Azure Databricks > Attestation - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.06 - Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens > Attestation - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.07 - Ensure that diagnostic log delivery is configured for Azure Databricks > Attestation - Azure > CIS v4.0 > 03 - Analytics Services > 03.01 - Azure Databricks > 03.01.08 - Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) - Azure > CIS v4.0 > 03 - Analytics Services > Maximum Attestation Duration - Azure > CIS v4.0 > 04 - Compute Services - Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines - Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine - Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation - Azure > CIS v4.0 > 04 - Compute Services > Maximum Attestation Duration - Azure > CIS v4.0 > 06 - Identity Services - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.01 - Ensure that 'security defaults' is enabled in Microsoft Entra ID > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.02 - Ensure that 'multifactor authentication' is 'enabled' for all users > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled - Azure > CIS v4.0 > 06 - Identity Services > 06.01 - Security Defaults (Per-User MFA) > 06.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.01 - Ensure that 'trusted locations' are defined - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.01 - Ensure that 'trusted locations' are defined > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.02 - Ensure that an exclusionary geographic Conditional Access policy is considered > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure exclusionary device code flow policy is considered - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.03 - Ensure exclusionary device code flow policy is considered > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.04 - Ensure that a multifactor authentication policy exists for all users > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.05 - Ensure that multifactor authentication is required for risky sign-ins > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.06 - Ensure that multifactor authentication is required for Windows Azure Service Management API > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals - Azure > CIS v4.0 > 06 - Identity Services > 06.02 - Conditional Access > 06.02.07 - Ensure that multifactor authentication is required to access Microsoft Admin Portals > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.01 - Ensure that Azure admin accounts are not used for daily operations > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.02 - Ensure that guest users are reviewed on a regular basis - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.02 - Ensure that guest users are reviewed on a regular basis > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.03 - Ensure that use of the 'User Access Administrator' role is restricted - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed - Azure > CIS v4.0 > 06 - Identity Services > 06.03 - Periodic Identity Reviews > 06.03.04 - Ensure that all 'privileged' role assignments are periodically reviewed > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.04 - Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure 'Number of methods required to reset' is set to '2' - Azure > CIS v4.0 > 06 - Identity Services > 06.05 - Ensure 'Number of methods required to reset' is set to '2' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure account 'Lockout threshold' is less than or equal to '10' - Azure > CIS v4.0 > 06 - Identity Services > 06.06 - Ensure account 'Lockout threshold' is less than or equal to '10' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure 'Lockout duration in seconds' is greater than or equal to '60' - Azure > CIS v4.0 > 06 - Identity Services > 06.07 - Ensure 'Lockout duration in seconds' is greater than or equal to '60' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure 'Custom banned password list' is set to 'Enforce' - Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure 'Custom banned password list' is set to 'Enforce' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v4.0 > 06 - Identity Services > 06.09 - Ensure 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.10 - Ensure 'Notify users on password resets?' is set to 'Yes' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.11 - Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure 'User consent for applications' is set to 'Do not allow user consent' - Azure > CIS v4.0 > 06 - Identity Services > 06.12 - Ensure 'User consent for applications' is set to 'Do not allow user consent' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure user consent is 'Allow for verified publishers only' - Azure > CIS v4.0 > 06 - Identity Services > 06.13 - Ensure user consent is 'Allow for verified publishers only' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.14 - Ensure 'Users can register applications' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure 'Guest users access restrictions' is properly configured - Azure > CIS v4.0 > 06 - Identity Services > 06.15 - Ensure 'Guest users access restrictions' is properly configured > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' - Azure > CIS v4.0 > 06 - Identity Services > 06.16 - Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure 'Restrict access to Microsoft Entra admin center' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.17 - Ensure 'Restrict access to Microsoft Entra admin center' is set to 'Yes' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure 'Restrict user ability to access groups features' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.18 - Ensure 'Restrict user ability to access groups features' is set to 'Yes' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.19 - Ensure 'Users can create security groups' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.19 - Ensure 'Users can create security groups' is set to 'No' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure 'Owners can manage group membership requests in My Groups' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.20 - Ensure 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure 'Users can create M365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v4.0 > 06 - Identity Services > 06.21 - Ensure 'Users can create M365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' - Azure > CIS v4.0 > 06 - Identity Services > 06.22 - Ensure 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.23 - Ensure no custom subscription administrator roles exist - Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure custom role is assigned permissions for administering resource locks - Azure > CIS v4.0 > 06 - Identity Services > 06.24 - Ensure custom role is assigned permissions for administering resource locks > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' - Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' > Attestation - Azure > CIS v4.0 > 06 - Identity Services > 06.26 - Ensure fewer than 5 users have global administrator assignment - Azure > CIS v4.0 > 06 - Identity Services > 06.26 - Ensure fewer than 5 users have global administrator assignment > Attestation - Azure > CIS v4.0 > 06 - Identity Services > Maximum Attestation Duration - Azure > CIS v4.0 > 07 - Management and Governance - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.11 - Ensure that Activity Log Alert exists for Service Health - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights > 07.01.03.01 - Ensure Application Insights are Configured - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.05 - Ensure SKU Basic/Consumption is not used on artifacts that need to be monitored - Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.05 - Ensure SKU Basic/Consumption is not used on artifacts that need to be monitored > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources - Azure > CIS v4.0 > 07 - Management and Governance > 07.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation - Azure > CIS v4.0 > 07 - Management and Governance > Maximum Attestation Duration - Azure > CIS v4.0 > 08 - Networking - Azure > CIS v4.0 > 08 - Networking > 08.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v4.0 > 08 - Networking > 08.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Azure > CIS v4.0 > 08 - Networking > 08.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use - Azure > CIS v4.0 > 08 - Networking > 08.07 - Ensure that Public IP addresses are evaluated on a periodic basis - Azure > CIS v4.0 > 08 - Networking > 08.07 - Ensure that Public IP addresses are evaluated on a periodic basis > Attestation - Azure > CIS v4.0 > 08 - Networking > 08.08 - Ensure that virtual network flow log retention days is set to greater than or equal to 90 - Azure > CIS v4.0 > 08 - Networking > Maximum Attestation Duration - Azure > CIS v4.0 > 09 - Security Services - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.01 - Ensure that Defender for Servers is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.03 - Defender Plan: Servers > 09.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.04 - Defender Plan: Containers > 09.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.05 - Defender Plan: Storage > 09.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.06 - Defender Plan: App Service > 09.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.07 - Defender Plan: Databases > 09.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.08 - Defender Plan: Key Vault > 09.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.09 - Defender Plan: Resource Manager > 09.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.10 - Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.12 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.14 - Ensure that 'Notify about alerts with the following severity (or higher)' is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.15 - Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.16 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.01 - Microsoft Defender for Cloud > 09.01.17 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT - Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT > 09.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v4.0 > 09 - Security Services > 09.02 - Microsoft Defender for IoT > 09.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.05 - Ensure the Key Vault is Recoverable - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.07 - Ensure that Public Network Access when using Private Endpoint is disabled - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.08 - Ensure that Private Endpoints are Used for Azure Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.09 - Ensure automatic key rotation is enabled within Azure Key Vault - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required - Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required > Attestation - Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion - Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion > 09.04.01 - Ensure an Azure Bastion Host Exists - Azure > CIS v4.0 > 09 - Security Services > Maximum Attestation Duration - Azure > CIS v4.0 > 10 - Storage Services - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.01 - Ensure soft delete for Azure File Shares is Enabled - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares - Azure > CIS v4.0 > 10 - Storage Services > 10.01 - Azure Files > 10.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares - Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage - Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled - Azure > CIS v4.0 > 10 - Storage Services > 10.02 - Azure Blob Storage > 10.02.02 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.02 - Ensure that Storage Account access keys are periodically regenerated - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.02 - Ensure that Storage Account access keys are periodically regenerated > Attestation - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.02 - Ensure 'Public Network Access' is 'Disabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.02 - Networking > 10.03.02.03 - Ensure default network access rule is set to deny - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.03 - Identity and Access Management > 10.03.03.01 - Ensure 'Default to Microsoft Entra authorization' is 'Enabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.04 - Ensure 'Secure transfer required' is set to 'Enabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.05 - Ensure 'Allow Azure services on trusted services list' is Enabled - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.06 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.07 - Ensure 'Minimum TLS version' is set to 'Version 1.2' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.08 - Ensure 'Cross Tenant Replication' is not enabled - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.09 - Ensure 'Allow Blob Anonymous Access' is set to 'Disabled' - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.10 - Ensure Azure Resource Manager Delete locks are applied > Attestation - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.11 - Ensure Azure Resource Manager ReadOnly locks are considered > Attestation - Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.12 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' for critical accounts - Azure > CIS v4.0 > 10 - Storage Services > Maximum Attestation Duration - Azure > CIS v4.0 > Maximum Attestation Duration _Note_ To ensure compatibility and proper functioning of the Guardrails Azure CIS v4 mod, we recommend updating all dependent mods to their latest versions.

aws-neptune v5.8.0 - CMDB control for DB Cluster Snapshot will no longer enter an error state when processing certain API responses

Tue, 03 Feb 2026 09:00:00 GMT

_Bug fixes_ - Fixed the `AWS > Neptune > DB Cluster Snapshot > CMDB` control that would enter an error state due to internal metadata being incorrectly stored in the resource data. This is now fixed. _Control Types_ - AWS > Neptune > DB Cluster > Allowed - AWS > Neptune > DB Cluster > Allowed > Custom - AWS > Neptune > DB Cluster > Allowed > Region - AWS > Neptune > DB Instance > Allowed - AWS > Neptune > DB Instance > Allowed > Custom - AWS > Neptune > DB Instance > Allowed > Region _Policy Types_ - AWS > Neptune > DB Cluster > Allowed - AWS > Neptune > DB Cluster > Allowed > Custom - AWS > Neptune > DB Cluster > Allowed > Custom > Rules - AWS > Neptune > DB Cluster > Allowed > Region - AWS > Neptune > DB Cluster > Allowed > Region > Regions - AWS > Neptune > DB Instance > Allowed - AWS > Neptune > DB Instance > Allowed > Custom - AWS > Neptune > DB Instance > Allowed > Custom > Rules - AWS > Neptune > DB Instance > Allowed > Region - AWS > Neptune > DB Instance > Allowed > Region > Regions

aws-apigateway v5.16.1 - Tags control for API Gateway V2 resources will no longer fail due to invalid ARN error

Tue, 03 Feb 2026 09:00:00 GMT

_Bug fixes_ - The tags control previously failed for some API Gateway V2 resources due to an invalid ARN error, causing the control to remain in alarm even after tags were applied. This has now been fixed and the controls will work as expected.

aws-vpc-security v5.16.1 - Flow Log Discovery control will no longer fail when processing Flow Logs attached to Transit Gateways

Mon, 02 Feb 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > Flow Log > Discovery` would go into an error state when processing Flow Logs attached to Transit Gateways or Transit Gateway Attachments. The control now correctly discovers Flow Logs attached to VPCs, Subnets, ENIs, Transit Gateways, and Transit Gateway Attachments.

gcp-cisv4-0 v5.0.0 is now available

Fri, 30 Jan 2026 09:00:00 GMT

_Control Types_ - GCP > CIS v4.0 - GCP > CIS v4.0 > 1 - Identity and Access Management - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.17 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - GCP > CIS v4.0 > 2 - Logging and Monitoring - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled' - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer - GCP > CIS v4.0 > 3 - Networking - GCP > CIS v4.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project - GCP > CIS v4.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects - GCP > CIS v4.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS - GCP > CIS v4.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC - GCP > CIS v4.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC - GCP > CIS v4.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet - GCP > CIS v4.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet - GCP > CIS v4.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - GCP > CIS v4.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites - GCP > CIS v4.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' - GCP > CIS v4.0 > 4 - Virtual Machines - GCP > CIS v4.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account - GCP > CIS v4.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs - GCP > CIS v4.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances - GCP > CIS v4.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project - GCP > CIS v4.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - GCP > CIS v4.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances - GCP > CIS v4.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) - GCP > CIS v4.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled - GCP > CIS v4.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses - GCP > CIS v4.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections - GCP > CIS v4.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled - GCP > CIS v4.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - GCP > CIS v4.0 > 5 - Storage - GCP > CIS v4.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible - GCP > CIS v4.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - GCP > CIS v4.0 > 6 - Cloud SQL Database Services - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - GCP > CIS v4.0 > 7 - BigQuery - GCP > CIS v4.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - GCP > CIS v4.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - GCP > CIS v4.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets - GCP > CIS v4.0 > 7 - BigQuery > 7.04 - Ensure all data in BigQuery has been classified - GCP > CIS v4.0 > 8 - Dataproc - GCP > CIS v4.0 > 8 - Dataproc > 8.01 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key _Policy Types_ - GCP > CIS v4.0 - GCP > CIS v4.0 > 1 - Identity and Access Management - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps > Attestation - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.17 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - GCP > CIS v4.0 > 1 - Identity and Access Management > 1.17 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation - GCP > CIS v4.0 > 1 - Identity and Access Management > Maximum Attestation Duration - GCP > CIS v4.0 > 2 - Logging and Monitoring - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled' - GCP > CIS v4.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer - GCP > CIS v4.0 > 2 - Logging and Monitoring > Maximum Attestation Duration - GCP > CIS v4.0 > 3 - Networking - GCP > CIS v4.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project - GCP > CIS v4.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects - GCP > CIS v4.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS - GCP > CIS v4.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC - GCP > CIS v4.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC - GCP > CIS v4.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet - GCP > CIS v4.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet - GCP > CIS v4.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - GCP > CIS v4.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites - GCP > CIS v4.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites > Attestation - GCP > CIS v4.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' - GCP > CIS v4.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' > Attestation - GCP > CIS v4.0 > 3 - Networking > Maximum Attestation Duration - GCP > CIS v4.0 > 4 - Virtual Machines - GCP > CIS v4.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account - GCP > CIS v4.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs - GCP > CIS v4.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances - GCP > CIS v4.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project - GCP > CIS v4.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - GCP > CIS v4.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances - GCP > CIS v4.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) - GCP > CIS v4.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled - GCP > CIS v4.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses - GCP > CIS v4.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections - GCP > CIS v4.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation - GCP > CIS v4.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled - GCP > CIS v4.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - GCP > CIS v4.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation - GCP > CIS v4.0 > 4 - Virtual Machines > Maximum Attestation Duration - GCP > CIS v4.0 > 5 - Storage - GCP > CIS v4.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible - GCP > CIS v4.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - GCP > CIS v4.0 > 5 - Storage > Maximum Attestation Duration - GCP > CIS v4.0 > 6 - Cloud SQL Database Services - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > Maximum Attestation Duration - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > Maximum Attestation Duration - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > Maximum Attestation Duration - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - GCP > CIS v4.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration - GCP > CIS v4.0 > 7 - BigQuery - GCP > CIS v4.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - GCP > CIS v4.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - GCP > CIS v4.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets - GCP > CIS v4.0 > 7 - BigQuery > 7.04 - Ensure All Data in BigQuery Has Been Classified - GCP > CIS v4.0 > 7 - BigQuery > 7.04 - Ensure All Data in BigQuery Has Been Classified > Attestation - GCP > CIS v4.0 > 7 - BigQuery > Maximum Attestation Duration - GCP > CIS v4.0 > 8 - Dataproc - GCP > CIS v4.0 > 8 - Dataproc > 8.01 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - GCP > CIS v4.0 > 8 - Dataproc > Maximum Attestation Duration - GCP > CIS v4.0 > Maximum Attestation Duration

azure-storage v5.31.0 - Protocol settings and versioning details now available in CMDB for storage accounts

Fri, 30 Jan 2026 09:00:00 GMT

_What's new?_ - Protocol settings and versioning details are now available in CMDB for storage accounts. _Control Types_ - Azure > Storage > Container > Allowed - Azure > Storage > Container > Allowed > Custom - Azure > Storage > FileShare > Allowed - Azure > Storage > FileShare > Allowed > Custom - Azure > Storage > Storage Account > Allowed - Azure > Storage > Storage Account > Allowed > Custom - Azure > Storage > Storage Account > Allowed > Region _Policy Types_ - Azure > Storage > Allowed Regions [Default] - Azure > Storage > Container > Allowed - Azure > Storage > Container > Allowed > Custom - Azure > Storage > Container > Allowed > Custom > Rules - Azure > Storage > FileShare > Allowed - Azure > Storage > FileShare > Allowed > Custom - Azure > Storage > FileShare > Allowed > Custom > Rules - Azure > Storage > Storage Account > Allowed - Azure > Storage > Storage Account > Allowed > Custom - Azure > Storage > Storage Account > Allowed > Custom > Rules - Azure > Storage > Storage Account > Allowed > Region - Azure > Storage > Storage Account > Allowed > Region > Regions

azure-network v5.29.1 - Private Endpoints Tags control now updates tags correctly

Fri, 30 Jan 2026 09:00:00 GMT

_Bug fixes_ - The `Azure > Network > Private Endpoints > Tags` control previously failed to update tags. This has now been fixed and the control will work as expected.

aws-mq v5.5.0 - Real-time event handlers now process tagging events for configuration resources

Fri, 30 Jan 2026 09:00:00 GMT

_What's new?_ - Real-time event handlers previously failed to process tagging and untagging events for configuration resources. This has now been fixed. _Action Types_ - AWS > Amazon MQ > Configuration > Router

Terraform Provider v1.13.1 - Fixed `turbot_control` data source GraphQL query error

Thu, 29 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed a GraphQL syntax error when querying the `turbot_control` data source using control type and resource.

aws-cisv6-0 v5.0.0 is now available

Thu, 29 Jan 2026 09:00:00 GMT

_Control Types_ - AWS > CIS v6.0 - AWS > CIS v6.0 > 2 - Identity and Access Management - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.01 - Maintain current contact details - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.02 - Ensure security contact information is registered - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.03 - Ensure no 'root' user account access key exists - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.04 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.05 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.06 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.07 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.08 - Ensure IAM password policy prevents password reuse - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.09 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.10 - Do not create access keys during initial setup for IAM users with a console password - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.11 - Ensure credentials unused for 45 days or more are disabled - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.12 - Ensure there is only one active access key for any single IAM user - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.13 - Ensure access keys are rotated every 90 days or less - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.14 - Ensure IAM users receive permissions only through groups - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.15 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.16 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.17 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.18 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.19 - Ensure that IAM External Access Analyzer is enabled for all regions - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.21 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v6.0 > 3 - Storage - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.02 - Ensure MFA Delete is enabled on S3 buckets - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.02 - Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.03 - Ensure that RDS instances are not publicly accessible - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.04 - Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS - AWS > CIS v6.0 > 3 - Storage > 3.03 - Elastic File System (EFS) - AWS > CIS v6.0 > 3 - Storage > 3.03 - Elastic File System (EFS) > 3.03.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v6.0 > 4 - Logging - AWS > CIS v6.0 > 4 - Logging > 4.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v6.0 > 4 - Logging > 4.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v6.0 > 4 - Logging > 4.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v6.0 > 4 - Logging > 4.04 - Ensure that server access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v6.0 > 4 - Logging > 4.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v6.0 > 4 - Logging > 4.06 - Ensure rotation for customer-created symmetric CMKs is enabled - AWS > CIS v6.0 > 4 - Logging > 4.07 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v6.0 > 4 - Logging > 4.08 - Ensure that object-level logging for write events is enabled for S3 buckets - AWS > CIS v6.0 > 4 - Logging > 4.09 - Ensure that object-level logging for read events is enabled for S3 buckets - AWS > CIS v6.0 > 5 - Monitoring - AWS > CIS v6.0 > 5 - Monitoring > 5.01 - Ensure unauthorized API calls are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.03 - Ensure usage of the 'root' account is monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.04 - Ensure IAM policy changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.10 - Ensure security group changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.11 - Ensure Network Access Control List (NACL) changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.12 - Ensure changes to network gateways are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.13 - Ensure route table changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.14 - Ensure VPC changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.16 - Ensure AWS Security Hub is enabled - AWS > CIS v6.0 > 6 - Networking - AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) - AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) > 6.01.01 - Ensure EBS volume encryption is enabled in all regions - AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) > 6.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access - AWS > CIS v6.0 > 6 - Networking > 6.02 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v6.0 > 6 - Networking > 6.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v6.0 > 6 - Networking > 6.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v6.0 > 6 - Networking > 6.05 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v6.0 > 6 - Networking > 6.06 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v6.0 > 6 - Networking > 6.07 - Ensure that the EC2 Metadata Service only allows IMDSv2 _Policy Types_ - AWS > CIS v6.0 - AWS > CIS v6.0 > 2 - Identity and Access Management - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.01 - Maintain current contact details - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.01 - Maintain current contact details > Attestation - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.02 - Ensure security contact information is registered - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.03 - Ensure no 'root' user account access key exists - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.04 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.05 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.06 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.07 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.08 - Ensure IAM password policy prevents password reuse - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.09 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.10 - Do not create access keys during initial setup for IAM users with a console password - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.11 - Ensure credentials unused for 45 days or more are disabled - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.12 - Ensure there is only one active access key for any single IAM user - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.13 - Ensure access keys are rotated every 90 days or less - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.14 - Ensure IAM users receive permissions only through groups - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.15 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.16 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.17 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.18 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.19 - Ensure that IAM External Access Analyzer is enabled for all regions - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.21 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v6.0 > 2 - Identity and Access Management > 2.21 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation - AWS > CIS v6.0 > 2 - Identity and Access Management > Maximum Attestation Duration - AWS > CIS v6.0 > 3 - Storage - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.02 - Ensure MFA Delete is enabled on S3 buckets - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary > Attestation - AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.02 - Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.03 - Ensure that RDS instances are not publicly accessible - AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.04 - Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS - AWS > CIS v6.0 > 3 - Storage > 3.03 - Elastic File System (EFS) - AWS > CIS v6.0 > 3 - Storage > 3.03 - Elastic File System (EFS) > 3.03.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v6.0 > 3 - Storage > Maximum Attestation Duration - AWS > CIS v6.0 > 4 - Logging - AWS > CIS v6.0 > 4 - Logging > 4.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v6.0 > 4 - Logging > 4.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v6.0 > 4 - Logging > 4.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v6.0 > 4 - Logging > 4.04 - Ensure that server access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v6.0 > 4 - Logging > 4.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v6.0 > 4 - Logging > 4.06 - Ensure rotation for customer-created symmetric CMKs is enabled - AWS > CIS v6.0 > 4 - Logging > 4.07 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v6.0 > 4 - Logging > 4.08 - Ensure that object-level logging for write events is enabled for S3 buckets - AWS > CIS v6.0 > 4 - Logging > 4.09 - Ensure that object-level logging for read events is enabled for S3 buckets - AWS > CIS v6.0 > 4 - Logging > Maximum Attestation Duration - AWS > CIS v6.0 > 5 - Monitoring - AWS > CIS v6.0 > 5 - Monitoring > 5.01 - Ensure unauthorized API calls are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.03 - Ensure usage of the 'root' account is monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.04 - Ensure IAM policy changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.10 - Ensure security group changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.11 - Ensure Network Access Control List (NACL) changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.12 - Ensure changes to network gateways are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.13 - Ensure route table changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.14 - Ensure VPC changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v6.0 > 5 - Monitoring > 5.16 - Ensure AWS Security Hub is enabled - AWS > CIS v6.0 > 5 - Monitoring > Maximum Attestation Duration - AWS > CIS v6.0 > 6 - Networking - AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) - AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) > 6.01.01 - Ensure EBS volume encryption is enabled in all regions - AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) > 6.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access - AWS > CIS v6.0 > 6 - Networking > 6.02 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v6.0 > 6 - Networking > 6.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v6.0 > 6 - Networking > 6.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v6.0 > 6 - Networking > 6.05 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v6.0 > 6 - Networking > 6.06 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v6.0 > 6 - Networking > 6.06 - Ensure routing tables for VPC peering are 'least access' > Attestation - AWS > CIS v6.0 > 6 - Networking > 6.07 - Ensure that the EC2 Metadata Service only allows IMDSv2 - AWS > CIS v6.0 > 6 - Networking > Maximum Attestation Duration - AWS > CIS v6.0 > Maximum Attestation Duration

Turbot Guardrails Enterprise (TE) v5.54.12 - Version bump to align with deployment requirements

Wed, 28 Jan 2026 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.54.12` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-cisv3-0 v5.0.0 is now available

Wed, 28 Jan 2026 09:00:00 GMT

_Control Types_ - GCP > CIS v3.0 - GCP > CIS v3.0 > 1 - Identity and Access Management - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - GCP > CIS v3.0 > 2 - Logging and Monitoring - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled' - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer - GCP > CIS v3.0 > 3 - Networking - GCP > CIS v3.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project - GCP > CIS v3.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects - GCP > CIS v3.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS - GCP > CIS v3.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC - GCP > CIS v3.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC - GCP > CIS v3.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet - GCP > CIS v3.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet - GCP > CIS v3.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - GCP > CIS v3.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites - GCP > CIS v3.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' - GCP > CIS v3.0 > 4 - Virtual Machines - GCP > CIS v3.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account - GCP > CIS v3.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs - GCP > CIS v3.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances - GCP > CIS v3.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project - GCP > CIS v3.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - GCP > CIS v3.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances - GCP > CIS v3.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) - GCP > CIS v3.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled - GCP > CIS v3.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses - GCP > CIS v3.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections - GCP > CIS v3.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled - GCP > CIS v3.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - GCP > CIS v3.0 > 5 - Storage - GCP > CIS v3.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible - GCP > CIS v3.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - GCP > CIS v3.0 > 6 - Cloud SQL Database Services - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - GCP > CIS v3.0 > 7 - BigQuery - GCP > CIS v3.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - GCP > CIS v3.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - GCP > CIS v3.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets - GCP > CIS v3.0 > 7 - BigQuery > 7.04 - Ensure all data in BigQuery has been classified - GCP > CIS v3.0 > 8 - Dataproc - GCP > CIS v3.0 > 8 - Dataproc > 8.1 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key _Policy Types_ - GCP > CIS v3.0 - GCP > CIS v3.0 > 1 - Identity and Access Management - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - GCP > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation - GCP > CIS v3.0 > 1 - Identity and Access Management > Maximum Attestation Duration - GCP > CIS v3.0 > 2 - Logging and Monitoring - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled' - GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer - GCP > CIS v3.0 > 2 - Logging and Monitoring > Maximum Attestation Duration - GCP > CIS v3.0 > 3 - Networking - GCP > CIS v3.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project - GCP > CIS v3.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects - GCP > CIS v3.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS - GCP > CIS v3.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC - GCP > CIS v3.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC - GCP > CIS v3.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet - GCP > CIS v3.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet - GCP > CIS v3.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - GCP > CIS v3.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites - GCP > CIS v3.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' - GCP > CIS v3.0 > 3 - Networking > Maximum Attestation Duration - GCP > CIS v3.0 > 4 - Virtual Machines - GCP > CIS v3.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account - GCP > CIS v3.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs - GCP > CIS v3.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances - GCP > CIS v3.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project - GCP > CIS v3.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - GCP > CIS v3.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances - GCP > CIS v3.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys - GCP > CIS v3.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled - GCP > CIS v3.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses - GCP > CIS v3.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections - GCP > CIS v3.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation - GCP > CIS v3.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled - GCP > CIS v3.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - GCP > CIS v3.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation - GCP > CIS v3.0 > 4 - Virtual Machines > Maximum Attestation Duration - GCP > CIS v3.0 > 5 - Storage - GCP > CIS v3.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible - GCP > CIS v3.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - GCP > CIS v3.0 > 5 - Storage > Maximum Attestation Duration - GCP > CIS v3.0 > 6 - Cloud SQL Database Services - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure that the 'Log_min_Messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - GCP > CIS v3.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration - GCP > CIS v3.0 > 7 - BigQuery - GCP > CIS v3.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - GCP > CIS v3.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - GCP > CIS v3.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets - GCP > CIS v3.0 > 7 - BigQuery > 7.04 - Ensure all data in BigQuery has been classified - GCP > CIS v3.0 > 7 - BigQuery > 7.04 - Ensure all data in BigQuery has been classified > Attestation - GCP > CIS v3.0 > 7 - BigQuery > Maximum Attestation Duration - GCP > CIS v3.0 > 8 - Dataproc - GCP > CIS v3.0 > 8 - Dataproc > 8.1 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - GCP > CIS v3.0 > 8 - Dataproc > Maximum Attestation Duration - GCP > CIS v3.0 > Maximum Attestation Duration

aws-logs v5.17.1 - The metric filter discovery control will no longer end up in the DLQ

Wed, 28 Jan 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > Logs > Metric Filter > Discovery` control was ending up in the DLQ for some metric filters. This has now been fixed, and the control works as expected.

aws-ec2 v5.50.2 - The CMDB control for AMIs will no longer fail due to missing `GetImageAncestry` API support

Tue, 27 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed the `AWS > EC2 > AMI > CMDB` control that was failing due to missing support for the `GetImageAncestry` API in the AWS SDK. This is now fixed.

aws-cisv5-0 v5.0.0 is now available

Tue, 27 Jan 2026 09:00:00 GMT

_Control Types_ - AWS > CIS v5.0 - AWS > CIS v5.0 > 1 - Identity and Access Management - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.03 - Ensure no 'root' user account access key exists - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.04 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.05 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.06 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.07 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy prevents password reuse - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.09 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.10 - Do not create access keys during initial setup for IAM users with a console password - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.11 - Ensure credentials unused for 45 days or more are disabled - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.12 - Ensure there is only one active access key for any single IAM user - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.13 - Ensure access keys are rotated every 90 days or less - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.14 - Ensure IAM Users Receive Permissions Only Through Groups - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.16 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.17 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.18 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.19 - Ensure that IAM External Access Analyzer is enabled for all regions - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.21 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v5.0 > 2 - Storage - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.02 - Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.03 - Ensure that RDS instances are not publicly accessible - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.04 - Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS - AWS > CIS v5.0 > 2 - Storage > 2.03 - Elastic File System (EFS) - AWS > CIS v5.0 > 2 - Storage > 2.03 - Elastic File System (EFS) > 2.03.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v5.0 > 3 - Logging - AWS > CIS v5.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v5.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v5.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v5.0 > 3 - Logging > 3.04 - Ensure that server access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v5.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v5.0 > 3 - Logging > 3.06 - Ensure rotation for customer-created symmetric CMKs is enabled - AWS > CIS v5.0 > 3 - Logging > 3.07 - Ensure that VPC flow logging is enabled in all VPCs - AWS > CIS v5.0 > 3 - Logging > 3.08 - Ensure that object-level logging for write events is enabled for S3 buckets - AWS > CIS v5.0 > 3 - Logging > 3.09 - Ensure that object-level logging for read events is enabled for S3 buckets - AWS > CIS v5.0 > 4 - Monitoring - AWS > CIS v5.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.03 - Ensure usage of the 'root' account is monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control List (NACL) changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v5.0 > 5 - Networking - AWS > CIS v5.0 > 5 - Networking > 5.01 - EC2 - AWS > CIS v5.0 > 5 - Networking > 5.01 - EC2 > 5.01.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v5.0 > 5 - Networking > 5.01 - EC2 > 5.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access - AWS > CIS v5.0 > 5 - Networking > 5.02 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v5.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v5.0 > 5 - Networking > 5.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v5.0 > 5 - Networking > 5.05 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v5.0 > 5 - Networking > 5.06 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v5.0 > 5 - Networking > 5.07 - Ensure that the EC2 Metadata Service only allows IMDSv2 _Policy Types_ - AWS > CIS v5.0 - AWS > CIS v5.0 > 1 - Identity and Access Management - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.03 - Ensure no 'root' user account access key exists - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.04 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.05 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.06 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.07 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy prevents password reuse - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.09 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.10 - Do not create access keys during initial setup for IAM users with a console password - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.11 - Ensure credentials unused for 45 days or more are disabled - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.12 - Ensure there is only one active access key for any single IAM user - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.13 - Ensure access keys are rotated every 90 days or less - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.14 - Ensure IAM Users Receive Permissions Only Through Groups - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.16 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.17 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.18 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.19 - Ensure that IAM External Access Analyzer is enabled for all regions - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.21 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v5.0 > 1 - Identity and Access Management > 1.21 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation - AWS > CIS v5.0 > 1 - Identity and Access Management > Maximum Attestation Duration - AWS > CIS v5.0 > 2 - Storage - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary > Attestation - AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.02 - Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.03 - Ensure that RDS instances are not publicly accessible - AWS > CIS v5.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.04 - Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS - AWS > CIS v5.0 > 2 - Storage > 2.03 - Elastic File System (EFS) - AWS > CIS v5.0 > 2 - Storage > 2.03 - Elastic File System (EFS) > 2.03.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v5.0 > 2 - Storage > Maximum Attestation Duration - AWS > CIS v5.0 > 3 - Logging - AWS > CIS v5.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v5.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v5.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v5.0 > 3 - Logging > 3.04 - Ensure that server access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v5.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v5.0 > 3 - Logging > 3.06 - Ensure rotation for customer-created symmetric CMKs is enabled - AWS > CIS v5.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v5.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket - AWS > CIS v5.0 > 3 - Logging > 3.09 - Ensure that object-level logging for read events is enabled for S3 buckets - AWS > CIS v5.0 > 3 - Logging > Maximum Attestation Duration - AWS > CIS v5.0 > 4 - Monitoring - AWS > CIS v5.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.03 - Ensure usage of the 'root' account is monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control List (NACL) changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v5.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v5.0 > 4 - Monitoring > Maximum Attestation Duration - AWS > CIS v5.0 > 5 - Networking - AWS > CIS v5.0 > 5 - Networking > 5.01 - EC2 - AWS > CIS v5.0 > 5 - Networking > 5.01 - EC2 > 5.01.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v5.0 > 5 - Networking > 5.01 - EC2 > 5.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access - AWS > CIS v5.0 > 5 - Networking > 5.02 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v5.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v5.0 > 5 - Networking > 5.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v5.0 > 5 - Networking > 5.05 - Default SG Restricts All Traffic > Attestation - AWS > CIS v5.0 > 5 - Networking > 5.05 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v5.0 > 5 - Networking > 5.06 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v5.0 > 5 - Networking > 5.06 - Ensure routing tables for VPC peering are 'least access' > 5.06 - VPC Peering Routes Least Access > Attestation - AWS > CIS v5.0 > 5 - Networking > 5.07 - Ensure that the EC2 Metadata Service only allows IMDSv2 - AWS > CIS v5.0 > 5 - Networking > Maximum Attestation Duration - AWS > CIS v5.0 > Maximum Attestation Duration

azure-network v5.29.0 - Track and manage web application firewall policy resources in Guardrails

Mon, 26 Jan 2026 09:00:00 GMT

_Resource Types_ - Azure > Network > Web Application Firewall Policy _Control Types_ - Azure > Network > Web Application Firewall Policy > Active - Azure > Network > Web Application Firewall Policy > Allowed - Azure > Network > Web Application Firewall Policy > Allowed > Custom - Azure > Network > Web Application Firewall Policy > Allowed > Region - Azure > Network > Web Application Firewall Policy > CMDB - Azure > Network > Web Application Firewall Policy > Discovery - Azure > Network > Web Application Firewall Policy > Tags _Policy Types_ - Azure > Network > Web Application Firewall Policy > Active - Azure > Network > Web Application Firewall Policy > Active > Age - Azure > Network > Web Application Firewall Policy > Active > Last Modified - Azure > Network > Web Application Firewall Policy > Allowed - Azure > Network > Web Application Firewall Policy > Allowed > Custom - Azure > Network > Web Application Firewall Policy > Allowed > Custom > Rules - Azure > Network > Web Application Firewall Policy > Allowed > Region - Azure > Network > Web Application Firewall Policy > Allowed > Region > Regions - Azure > Network > Web Application Firewall Policy > CMDB - Azure > Network > Web Application Firewall Policy > Regions - Azure > Network > Web Application Firewall Policy > Tags - Azure > Network > Web Application Firewall Policy > Tags > Template _Action Types_ - Azure > Network > Web Application Firewall Policy > Delete - Azure > Network > Web Application Firewall Policy > Router - Azure > Network > Web Application Firewall Policy > Set Tags

azure-keyvault v5.20.0 - Track and manage certificate resources in Guardrails

Mon, 26 Jan 2026 09:00:00 GMT

_Resource Types_ - Azure > Key Vault > Certificate _Control Types_ - Azure > Key Vault > Certificate > Active - Azure > Key Vault > Certificate > Allowed - Azure > Key Vault > Certificate > Allowed > Custom - Azure > Key Vault > Certificate > Allowed > Region - Azure > Key Vault > Certificate > CMDB - Azure > Key Vault > Certificate > Discovery - Azure > Key Vault > Key > Allowed - Azure > Key Vault > Key > Allowed > Custom - Azure > Key Vault > Key > Allowed > Region - Azure > Key Vault > Secret > Allowed - Azure > Key Vault > Secret > Allowed > Custom - Azure > Key Vault > Secret > Allowed > Region - Azure > Key Vault > Vault > Allowed - Azure > Key Vault > Vault > Allowed > Custom - Azure > Key Vault > Vault > Allowed > Region _Policy Types_ - Azure > Key Vault > Allowed Regions [Default] - Azure > Key Vault > Certificate > Active - Azure > Key Vault > Certificate > Active > Age - Azure > Key Vault > Certificate > Active > Last Modified - Azure > Key Vault > Certificate > Allowed - Azure > Key Vault > Certificate > Allowed > Custom - Azure > Key Vault > Certificate > Allowed > Custom > Rules - Azure > Key Vault > Certificate > Allowed > Region - Azure > Key Vault > Certificate > Allowed > Region > Regions - Azure > Key Vault > Certificate > CMDB - Azure > Key Vault > Certificate > Regions - Azure > Key Vault > Key > Allowed - Azure > Key Vault > Key > Allowed > Custom - Azure > Key Vault > Key > Allowed > Custom > Rules - Azure > Key Vault > Key > Allowed > Region - Azure > Key Vault > Key > Allowed > Region > Regions - Azure > Key Vault > Secret > Allowed - Azure > Key Vault > Secret > Allowed > Custom - Azure > Key Vault > Secret > Allowed > Custom > Rules - Azure > Key Vault > Secret > Allowed > Region - Azure > Key Vault > Secret > Allowed > Region > Regions - Azure > Key Vault > Vault > Allowed - Azure > Key Vault > Vault > Allowed > Custom - Azure > Key Vault > Vault > Allowed > Custom > Rules - Azure > Key Vault > Vault > Allowed > Region - Azure > Key Vault > Vault > Allowed > Region > Regions _Action Types_ - Azure > Key Vault > Certificate > Delete

aws-cisv4-0 v5.0.0 is now available

Mon, 26 Jan 2026 09:00:00 GMT

_Control Types_ - AWS > CIS v4.0 - AWS > CIS v4.0 > 1 - Identity and Access Management - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.11 - Do not create access keys during initial setup for IAM users with a console password - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or more are disabled - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key for any single IAM user - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM users receive permissions only through groups - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.19 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v4.0 > 2 - Storage - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.02 - Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.03 - Ensure that RDS instances are not publicly accessible - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.04 - Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS - AWS > CIS v4.0 > 2 - Storage > 2.03 - Elastic File System (EFS) - AWS > CIS v4.0 > 2 - Storage > 2.03 - Elastic File System (EFS) > 2.03.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v4.0 > 3 - Logging - AWS > CIS v4.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v4.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v4.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v4.0 > 3 - Logging > 3.04 - Ensure that server access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v4.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v4.0 > 3 - Logging > 3.06 - Ensure rotation for customer-created symmetric CMKs is enabled - AWS > CIS v4.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v4.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket - AWS > CIS v4.0 > 3 - Logging > 3.09 - Ensure that object-level logging for read events is enabled for S3 buckets - AWS > CIS v4.0 > 4 - Monitoring - AWS > CIS v4.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.03 - Ensure usage of the 'root' account is monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control List (NACL) changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v4.0 > 5 - Networking - AWS > CIS v4.0 > 5 - Networking > 5.01 - Elastic Compute Cloud (EC2) - AWS > CIS v4.0 > 5 - Networking > 5.01 - Elastic Compute Cloud (EC2) > 5.01.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v4.0 > 5 - Networking > 5.01 - Elastic Compute Cloud (EC2) > 5.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access - AWS > CIS v4.0 > 5 - Networking > 5.02 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v4.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v4.0 > 5 - Networking > 5.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v4.0 > 5 - Networking > 5.05 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v4.0 > 5 - Networking > 5.06 - Ensure routing tables for VPC peering are "least access" - AWS > CIS v4.0 > 5 - Networking > 5.07 - Ensure that the EC2 Metadata Service only allows IMDSv2 _Policy Types_ - AWS > CIS v4.0 - AWS > CIS v4.0 > 1 - Identity and Access Management - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v4.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation - AWS > CIS v4.0 > 1 - Identity and Access Management > Maximum Attestation Duration - AWS > CIS v4.0 > 2 - Storage - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation - AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.03 - Ensure that public access is not given to RDS Instance - AWS > CIS v4.0 > 2 - Storage > 2.02 - Relational Database Service (RDS) > 2.02.04 - Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS - AWS > CIS v4.0 > 2 - Storage > 2.03 - Elastic File System (EFS) - AWS > CIS v4.0 > 2 - Storage > 2.03 - Elastic File System (EFS) > 2.03.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v4.0 > 2 - Storage > Maximum Attestation Duration - AWS > CIS v4.0 > 3 - Logging - AWS > CIS v4.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v4.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v4.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v4.0 > 3 - Logging > 3.04 - Ensure that server access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v4.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v4.0 > 3 - Logging > 3.06 - Ensure rotation for customer-created symmetric CMKs is enabled - AWS > CIS v4.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v4.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket - AWS > CIS v4.0 > 3 - Logging > 3.09 - Ensure that object-level logging for read events is enabled for S3 buckets - AWS > CIS v4.0 > 3 - Logging > Maximum Attestation Duration - AWS > CIS v4.0 > 4 - Monitoring - AWS > CIS v4.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v4.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v4.0 > 4 - Monitoring > Maximum Attestation Duration - AWS > CIS v4.0 > 5 - Networking - AWS > CIS v4.0 > 5 - Networking > 5.01 - Elastic Compute Cloud (EC2) - AWS > CIS v4.0 > 5 - Networking > 5.01 - Elastic Compute Cloud (EC2) > 5.01.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v4.0 > 5 - Networking > 5.01 - Elastic Compute Cloud (EC2) > 5.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access - AWS > CIS v4.0 > 5 - Networking > 5.02 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v4.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v4.0 > 5 - Networking > 5.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v4.0 > 5 - Networking > 5.05 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v4.0 > 5 - Networking > 5.06 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v4.0 > 5 - Networking > 5.06 - Ensure routing tables for VPC peering are 'least access' > 5.06 - VPC Peering Routes Least Access > Attestation - AWS > CIS v4.0 > 5 - Networking > 5.07 - Ensure that EC2 Metadata Service only allows IMDSv2 - AWS > CIS v4.0 > 5 - Networking > Maximum Attestation Duration - AWS > CIS v4.0 > Maximum Attestation Duration

gcp v5.34.0 - Added support for `Discovery Level` and `Cloud Parent` for organization, folder and project resource types

Fri, 23 Jan 2026 09:00:00 GMT

_What's new?_ - Added support for `Discovery Level` and `Cloud Parent` for Organization, Folder and Project resource types. _Policy Types_ - GCP > Organization > Discovery Level - Turbot > Discovery Level > Materialization Exceptions > @turbot/gcp

azure v5.35.0 - Added support for `Discovery Level` and `Cloud Parent` for tenant, management group and subscription resource types

Fri, 23 Jan 2026 09:00:00 GMT

_What's new?_ - Added support for `Discovery Level` and `Cloud Parent` for Tenant, Management Group and Subscription resource types. _Policy Types_ - Azure > Tenant > Discovery Level - Turbot > Discovery Level > Materialization Exceptions > @turbot/azure

aws-ec2 v5.50.1 - The CMDB control for instances will update IAM instance profile when it is detached from the instance

Fri, 23 Jan 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > EC2 > Instance > CMDB` control would fail to update IAM instance profile when it was detached from an instance. This is now fixed. - Fixed the `AWS > EC2 > Instance > Instance Profile` control to check CMDB state before execution, ensuring complete instance data is available.

Turbot Guardrails Enterprise (TE) v5.55.1 - Enforced PostgreSQL 15+ and policy pack optimization

Thu, 22 Jan 2026 09:00:00 GMT

_What's new?_ - Server - Workspace creation and upgrade are now blocked if the RDS PostgreSQL version is lower than 15. _Bug fixes_ - Server - Prevent policy pack summary control from querying AI credentials when the summary policy is disabled. _Requirements_ - Upgrade to `5.55.1` requires your workspace to be on `5.54.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-cisv2-0 v5.1.2 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

gcp-cisv1 v5.0.2 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

azure-cisv3-0 v5.0.2 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

azure-cisv2-0 v5.2.1 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

azure-cisv1 v5.1.8 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

azure-cisv1-2 v5.0.1 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

aws-cisv3-0 v5.0.8 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

aws-cisv2-0 v5.0.6 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

aws-cisv1 v5.0.11 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

aws-cisv1-4 v5.0.10 - Fixed policy mappings in various control types

Thu, 22 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

aws-sagemaker v5.14.0 - Various new resource types for Sagemaker are now available

Wed, 21 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > SageMaker > App - AWS > SageMaker > Cluster - AWS > SageMaker > Image - AWS > SageMaker > Pipeline - AWS > SageMaker > Processing Job - AWS > SageMaker > Project - AWS > SageMaker > Studio Lifecycle Config - AWS > SageMaker > User Profile - Control Types: - AWS > SageMaker > App > Active - AWS > SageMaker > App > Allowed - AWS > SageMaker > App > Allowed > Custom - AWS > SageMaker > App > Allowed > Region - AWS > SageMaker > App > CMDB - AWS > SageMaker > App > Discovery - AWS > SageMaker > App > Tags - AWS > SageMaker > Cluster > Active - AWS > SageMaker > Cluster > Allowed - AWS > SageMaker > Cluster > Allowed > Custom - AWS > SageMaker > Cluster > Allowed > Region - AWS > SageMaker > Cluster > CMDB - AWS > SageMaker > Cluster > Discovery - AWS > SageMaker > Cluster > Tags - AWS > SageMaker > Image > Active - AWS > SageMaker > Image > Allowed - AWS > SageMaker > Image > Allowed > Custom - AWS > SageMaker > Image > Allowed > Region - AWS > SageMaker > Image > CMDB - AWS > SageMaker > Image > Discovery - AWS > SageMaker > Image > Tags - AWS > SageMaker > Pipeline > Active - AWS > SageMaker > Pipeline > Allowed - AWS > SageMaker > Pipeline > Allowed > Custom - AWS > SageMaker > Pipeline > Allowed > Region - AWS > SageMaker > Pipeline > CMDB - AWS > SageMaker > Pipeline > Discovery - AWS > SageMaker > Pipeline > Tags - AWS > SageMaker > Processing Job > Active - AWS > SageMaker > Processing Job > Allowed - AWS > SageMaker > Processing Job > Allowed > Custom - AWS > SageMaker > Processing Job > Allowed > Region - AWS > SageMaker > Processing Job > CMDB - AWS > SageMaker > Processing Job > Discovery - AWS > SageMaker > Processing Job > Tags - AWS > SageMaker > Project > Active - AWS > SageMaker > Project > Allowed - AWS > SageMaker > Project > Allowed > Custom - AWS > SageMaker > Project > Allowed > Region - AWS > SageMaker > Project > CMDB - AWS > SageMaker > Project > Discovery - AWS > SageMaker > Project > Tags - AWS > SageMaker > Project > Usage - AWS > SageMaker > Studio Lifecycle Config > Active - AWS > SageMaker > Studio Lifecycle Config > Allowed - AWS > SageMaker > Studio Lifecycle Config > Allowed > Custom - AWS > SageMaker > Studio Lifecycle Config > Allowed > Region - AWS > SageMaker > Studio Lifecycle Config > CMDB - AWS > SageMaker > Studio Lifecycle Config > Discovery - AWS > SageMaker > Studio Lifecycle Config > Tags - AWS > SageMaker > User Profile > Active - AWS > SageMaker > User Profile > Allowed - AWS > SageMaker > User Profile > Allowed > Custom - AWS > SageMaker > User Profile > Allowed > Region - AWS > SageMaker > User Profile > CMDB - AWS > SageMaker > User Profile > Discovery - AWS > SageMaker > User Profile > Tags - Policy Types: - AWS > SageMaker > Allowed Regions [Default] - AWS > SageMaker > App > Active - AWS > SageMaker > App > Active > Age - AWS > SageMaker > App > Active > Last Modified - AWS > SageMaker > App > Allowed - AWS > SageMaker > App > Allowed > Custom - AWS > SageMaker > App > Allowed > Custom > Rules - AWS > SageMaker > App > Allowed > Region - AWS > SageMaker > App > Allowed > Region > Regions - AWS > SageMaker > App > CMDB - AWS > SageMaker > App > Regions - AWS > SageMaker > App > Tags - AWS > SageMaker > App > Tags > Template - AWS > SageMaker > Cluster > Active - AWS > SageMaker > Cluster > Active > Age - AWS > SageMaker > Cluster > Active > Last Modified - AWS > SageMaker > Cluster > Allowed - AWS > SageMaker > Cluster > Allowed > Custom - AWS > SageMaker > Cluster > Allowed > Custom > Rules - AWS > SageMaker > Cluster > Allowed > Region - AWS > SageMaker > Cluster > Allowed > Region > Regions - AWS > SageMaker > Cluster > CMDB - AWS > SageMaker > Cluster > Regions - AWS > SageMaker > Cluster > Tags - AWS > SageMaker > Cluster > Tags > Template - AWS > SageMaker > Image > Active - AWS > SageMaker > Image > Active > Age - AWS > SageMaker > Image > Active > Last Modified - AWS > SageMaker > Image > Allowed - AWS > SageMaker > Image > Allowed > Custom - AWS > SageMaker > Image > Allowed > Custom > Rules - AWS > SageMaker > Image > Allowed > Region - AWS > SageMaker > Image > Allowed > Region > Regions - AWS > SageMaker > Image > CMDB - AWS > SageMaker > Image > Regions - AWS > SageMaker > Image > Tags - AWS > SageMaker > Image > Tags > Template - AWS > SageMaker > Pipeline > Active - AWS > SageMaker > Pipeline > Active > Age - AWS > SageMaker > Pipeline > Active > Last Modified - AWS > SageMaker > Pipeline > Allowed - AWS > SageMaker > Pipeline > Allowed > Custom - AWS > SageMaker > Pipeline > Allowed > Custom > Rules - AWS > SageMaker > Pipeline > Allowed > Region - AWS > SageMaker > Pipeline > Allowed > Region > Regions - AWS > SageMaker > Pipeline > CMDB - AWS > SageMaker > Pipeline > Regions - AWS > SageMaker > Pipeline > Tags - AWS > SageMaker > Pipeline > Tags > Template - AWS > SageMaker > Processing Job > Active - AWS > SageMaker > Processing Job > Active > Age - AWS > SageMaker > Processing Job > Active > Last Modified - AWS > SageMaker > Processing Job > Allowed - AWS > SageMaker > Processing Job > Allowed > Custom - AWS > SageMaker > Processing Job > Allowed > Custom > Rules - AWS > SageMaker > Processing Job > Allowed > Region - AWS > SageMaker > Processing Job > Allowed > Region > Regions - AWS > SageMaker > Processing Job > CMDB - AWS > SageMaker > Processing Job > Regions - AWS > SageMaker > Processing Job > Tags - AWS > SageMaker > Processing Job > Tags > Template - AWS > SageMaker > Project > Active - AWS > SageMaker > Project > Active > Age - AWS > SageMaker > Project > Active > Last Modified - AWS > SageMaker > Project > Allowed - AWS > SageMaker > Project > Allowed > Custom - AWS > SageMaker > Project > Allowed > Custom > Rules - AWS > SageMaker > Project > Allowed > Region - AWS > SageMaker > Project > Allowed > Region > Regions - AWS > SageMaker > Project > CMDB - AWS > SageMaker > Project > Regions - AWS > SageMaker > Project > Tags - AWS > SageMaker > Project > Tags > Template - AWS > SageMaker > Project > Usage - AWS > SageMaker > Project > Usage > Limit - AWS > SageMaker > Studio Lifecycle Config > Active - AWS > SageMaker > Studio Lifecycle Config > Active > Age - AWS > SageMaker > Studio Lifecycle Config > Active > Last Modified - AWS > SageMaker > Studio Lifecycle Config > Allowed - AWS > SageMaker > Studio Lifecycle Config > Allowed > Custom - AWS > SageMaker > Studio Lifecycle Config > Allowed > Custom > Rules - AWS > SageMaker > Studio Lifecycle Config > Allowed > Region - AWS > SageMaker > Studio Lifecycle Config > Allowed > Region > Regions - AWS > SageMaker > Studio Lifecycle Config > CMDB - AWS > SageMaker > Studio Lifecycle Config > Regions - AWS > SageMaker > Studio Lifecycle Config > Tags - AWS > SageMaker > Studio Lifecycle Config > Tags > Template - AWS > SageMaker > User Profile > Active - AWS > SageMaker > User Profile > Active > Age - AWS > SageMaker > User Profile > Active > Last Modified - AWS > SageMaker > User Profile > Allowed - AWS > SageMaker > User Profile > Allowed > Custom - AWS > SageMaker > User Profile > Allowed > Custom > Rules - AWS > SageMaker > User Profile > Allowed > Region - AWS > SageMaker > User Profile > Allowed > Region > Regions - AWS > SageMaker > User Profile > CMDB - AWS > SageMaker > User Profile > Regions - AWS > SageMaker > User Profile > Tags - AWS > SageMaker > User Profile > Tags > Template - Action Types: - AWS > SageMaker > App > Delete - AWS > SageMaker > App > Delete from AWS - AWS > SageMaker > App > Router - AWS > SageMaker > App > Set Tags - AWS > SageMaker > App > Skip alarm for Active control - AWS > SageMaker > App > Skip alarm for Active control [90 days] - AWS > SageMaker > App > Skip alarm for Tags control - AWS > SageMaker > App > Skip alarm for Tags control [90 days] - AWS > SageMaker > App > Update Tags - AWS > SageMaker > Cluster > Delete - AWS > SageMaker > Cluster > Delete from AWS - AWS > SageMaker > Cluster > Router - AWS > SageMaker > Cluster > Set Tags - AWS > SageMaker > Cluster > Skip alarm for Active control - AWS > SageMaker > Cluster > Skip alarm for Active control [90 days] - AWS > SageMaker > Cluster > Skip alarm for Tags control - AWS > SageMaker > Cluster > Skip alarm for Tags control [90 days] - AWS > SageMaker > Cluster > Update Tags - AWS > SageMaker > Image > Delete - AWS > SageMaker > Image > Delete from AWS - AWS > SageMaker > Image > Router - AWS > SageMaker > Image > Set Tags - AWS > SageMaker > Image > Skip alarm for Active control - AWS > SageMaker > Image > Skip alarm for Active control [90 days] - AWS > SageMaker > Image > Skip alarm for Tags control - AWS > SageMaker > Image > Skip alarm for Tags control [90 days] - AWS > SageMaker > Image > Update Tags - AWS > SageMaker > Pipeline > Delete - AWS > SageMaker > Pipeline > Delete from AWS - AWS > SageMaker > Pipeline > Router - AWS > SageMaker > Pipeline > Set Tags - AWS > SageMaker > Pipeline > Skip alarm for Active control - AWS > SageMaker > Pipeline > Skip alarm for Active control [90 days] - AWS > SageMaker > Pipeline > Skip alarm for Approved control - AWS > SageMaker > Pipeline > Skip alarm for Approved control [90 days] - AWS > SageMaker > Pipeline > Skip alarm for Tags control - AWS > SageMaker > Pipeline > Skip alarm for Tags control [90 days] - AWS > SageMaker > Pipeline > Update Tags - AWS > SageMaker > Processing Job > Delete - AWS > SageMaker > Processing Job > Delete from AWS - AWS > SageMaker > Processing Job > Router - AWS > SageMaker > Processing Job > Set Tags - AWS > SageMaker > Processing Job > Skip alarm for Active control - AWS > SageMaker > Processing Job > Skip alarm for Active control [90 days] - AWS > SageMaker > Processing Job > Skip alarm for Approved control - AWS > SageMaker > Processing Job > Skip alarm for Approved control [90 days] - AWS > SageMaker > Processing Job > Skip alarm for Tags control - AWS > SageMaker > Processing Job > Skip alarm for Tags control [90 days] - AWS > SageMaker > Processing Job > Update Tags - AWS > SageMaker > Project > Delete - AWS > SageMaker > Project > Delete from AWS - AWS > SageMaker > Project > Router - AWS > SageMaker > Project > Set Tags - AWS > SageMaker > Project > Skip alarm for Active control - AWS > SageMaker > Project > Skip alarm for Active control [90 days] - AWS > SageMaker > Project > Skip alarm for Tags control - AWS > SageMaker > Project > Skip alarm for Tags control [90 days] - AWS > SageMaker > Project > Update Tags - AWS > SageMaker > Studio Lifecycle Config > Delete - AWS > SageMaker > Studio Lifecycle Config > Delete from AWS - AWS > SageMaker > Studio Lifecycle Config > Router - AWS > SageMaker > Studio Lifecycle Config > Set Tags - AWS > SageMaker > Studio Lifecycle Config > Skip alarm for Active control - AWS > SageMaker > Studio Lifecycle Config > Skip alarm for Active control [90 days] - AWS > SageMaker > Studio Lifecycle Config > Skip alarm for Tags control - AWS > SageMaker > Studio Lifecycle Config > Skip alarm for Tags control [90 days] - AWS > SageMaker > Studio Lifecycle Config > Update Tags - AWS > SageMaker > User Profile > Delete - AWS > SageMaker > User Profile > Delete from AWS - AWS > SageMaker > User Profile > Router - AWS > SageMaker > User Profile > Set Tags - AWS > SageMaker > User Profile > Skip alarm for Active control - AWS > SageMaker > User Profile > Skip alarm for Active control [90 days] - AWS > SageMaker > User Profile > Skip alarm for Tags control - AWS > SageMaker > User Profile > Skip alarm for Tags control [90 days] - AWS > SageMaker > User Profile > Update Tags

Turbot Guardrails CLI v1.31.1 - Stability improvements and enhanced inspection

Wed, 21 Jan 2026 09:00:00 GMT

_What's new?_ - Added `--verbose` flag to `turbot inspect` command to **display full prevention details**, providing deeper visibility into policy enforcement and prevention actions. - Renamed CLI binary from `turbot-macos*` to `turbot` for **consistent cross-platform experience** and simplified installation. _Bug fixes_ - Fixed CLI failures on macOS after extended inactivity caused by temporary directory cleanup, improving **long-running session stability**. - Resolved whitespace formatting issues in `turbot inspect` command output for improved readability.

Turbot Guardrails Enterprise (TE) v5.54.11 - Version bump to align with deployment requirements

Mon, 19 Jan 2026 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.54.11` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.54.10 - Version bump to align with deployment requirements

Mon, 19 Jan 2026 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.54.10` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-mskconnect v5.0.0 is now available

Mon, 19 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > MSK Connect - AWS > MSK Connect > Connector - Control Types: - AWS > MSK Connect > Connector > Allowed - AWS > MSK Connect > Connector > Allowed > Custom - AWS > MSK Connect > Connector > Allowed > Region - AWS > MSK Connect > Connector > CMDB - AWS > MSK Connect > Connector > Discovery - AWS > MSK Connect > Connector > Tags - Policy Types: - AWS > MSK Connect > API Enabled - AWS > MSK Connect > Allowed Regions [Default] - AWS > MSK Connect > Approved Regions [Default] - AWS > MSK Connect > Connector > Allowed - AWS > MSK Connect > Connector > Allowed > Custom - AWS > MSK Connect > Connector > Allowed > Custom > Rules - AWS > MSK Connect > Connector > Allowed > Region - AWS > MSK Connect > Connector > Allowed > Region > Regions - AWS > MSK Connect > Connector > CMDB - AWS > MSK Connect > Connector > Regions - AWS > MSK Connect > Connector > Tags - AWS > MSK Connect > Connector > Tags > Template - AWS > MSK Connect > Enabled - AWS > MSK Connect > Permissions - AWS > MSK Connect > Permissions > Levels - AWS > MSK Connect > Permissions > Levels > Modifiers - AWS > MSK Connect > Permissions > Lockdown - AWS > MSK Connect > Permissions > Lockdown > API Boundary - AWS > MSK Connect > Regions - AWS > MSK Connect > Tags Template [Default] - AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-mskconnect - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-mskconnect - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-mskconnect - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-mskconnect - Action Types: - AWS > MSK Connect > Connector > Delete - AWS > MSK Connect > Connector > Delete from AWS - AWS > MSK Connect > Connector > Router - AWS > MSK Connect > Connector > Set Tags - AWS > MSK Connect > Connector > Skip alarm for Tags control - AWS > MSK Connect > Connector > Skip alarm for Tags control [90 days] - AWS > MSK Connect > Connector > Update Tags

aws-apigateway v5.16.0 - Track and manage VPC link V2 resources in Guardrails

Mon, 19 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > API Gateway > VPC Link V2 - Control Types: - AWS > API Gateway > VPC Link V2 > Active - AWS > API Gateway > VPC Link V2 > Allowed - AWS > API Gateway > VPC Link V2 > Allowed > Custom - AWS > API Gateway > VPC Link V2 > Allowed > Region - AWS > API Gateway > VPC Link V2 > CMDB - AWS > API Gateway > VPC Link V2 > Discovery - AWS > API Gateway > VPC Link V2 > Tags - AWS > API Gateway > VPC Link V2 > Usage - Policy Types: - AWS > API Gateway > VPC Link V2 > Active - AWS > API Gateway > VPC Link V2 > Active > Age - AWS > API Gateway > VPC Link V2 > Active > Last Modified - AWS > API Gateway > VPC Link V2 > Allowed - AWS > API Gateway > VPC Link V2 > Allowed > Custom - AWS > API Gateway > VPC Link V2 > Allowed > Custom > Rules - AWS > API Gateway > VPC Link V2 > Allowed > Region - AWS > API Gateway > VPC Link V2 > Allowed > Region > Regions - AWS > API Gateway > VPC Link V2 > CMDB - AWS > API Gateway > VPC Link V2 > Regions - AWS > API Gateway > VPC Link V2 > Tags - AWS > API Gateway > VPC Link V2 > Tags > Template - AWS > API Gateway > VPC Link V2 > Usage - AWS > API Gateway > VPC Link V2 > Usage > Limit - Action Types: - AWS > API Gateway > VPC Link V2 > Delete - AWS > API Gateway > VPC Link V2 > Delete from AWS - AWS > API Gateway > VPC Link V2 > Router - AWS > API Gateway > VPC Link V2 > Set Tags - AWS > API Gateway > VPC Link V2 > Skip alarm for Active control - AWS > API Gateway > VPC Link V2 > Skip alarm for Active control [90 days] - AWS > API Gateway > VPC Link V2 > Skip alarm for Tags control - AWS > API Gateway > VPC Link V2 > Skip alarm for Tags control [90 days] - AWS > API Gateway > VPC Link V2 > Update Tags

Turbot Guardrails Enterprise (TE) v5.54.9 - Fixed policy setting creation deadlock

Fri, 16 Jan 2026 09:00:00 GMT

_Bug fixes_ - Server - Fixed an issue where policy setting creation was causing a JS deadlock while waiting for a transaction in the connection pool. _Requirements_ - Upgrade to `5.54.9` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws v5.43.2 - Organization Discovery Level policy will now run in the priority queue

Fri, 16 Jan 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > Organization > Discovery Level` policy will now run in the priority queue.

aws-transfer v5.3.0 - Track and manage server and connector resources in Guardrails

Fri, 16 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > Transfer for SFTP > Connector - AWS > Transfer for SFTP > Server - Control Types: - AWS > Transfer for SFTP > Connector > Active - AWS > Transfer for SFTP > Connector > Allowed - AWS > Transfer for SFTP > Connector > Allowed > Custom - AWS > Transfer for SFTP > Connector > Allowed > Region - AWS > Transfer for SFTP > Connector > CMDB - AWS > Transfer for SFTP > Connector > Discovery - AWS > Transfer for SFTP > Connector > Tags - AWS > Transfer for SFTP > Server > Active - AWS > Transfer for SFTP > Server > Allowed - AWS > Transfer for SFTP > Server > Allowed > Custom - AWS > Transfer for SFTP > Server > Allowed > Region - AWS > Transfer for SFTP > Server > CMDB - AWS > Transfer for SFTP > Server > Discovery - AWS > Transfer for SFTP > Server > Tags - Policy Types: - AWS > Transfer for SFTP > Allowed Regions [Default] - AWS > Transfer for SFTP > Connector > Active - AWS > Transfer for SFTP > Connector > Active > Age - AWS > Transfer for SFTP > Connector > Active > Last Modified - AWS > Transfer for SFTP > Connector > Allowed - AWS > Transfer for SFTP > Connector > Allowed > Custom - AWS > Transfer for SFTP > Connector > Allowed > Custom > Rules - AWS > Transfer for SFTP > Connector > Allowed > Region - AWS > Transfer for SFTP > Connector > Allowed > Region > Regions - AWS > Transfer for SFTP > Connector > CMDB - AWS > Transfer for SFTP > Connector > Regions - AWS > Transfer for SFTP > Connector > Tags - AWS > Transfer for SFTP > Connector > Tags > Template - AWS > Transfer for SFTP > Server > Active - AWS > Transfer for SFTP > Server > Active > Age - AWS > Transfer for SFTP > Server > Active > Last Modified - AWS > Transfer for SFTP > Server > Allowed - AWS > Transfer for SFTP > Server > Allowed > Custom - AWS > Transfer for SFTP > Server > Allowed > Custom > Rules - AWS > Transfer for SFTP > Server > Allowed > Region - AWS > Transfer for SFTP > Server > Allowed > Region > Regions - AWS > Transfer for SFTP > Server > CMDB - AWS > Transfer for SFTP > Server > Regions - AWS > Transfer for SFTP > Server > Tags - AWS > Transfer for SFTP > Server > Tags > Template - Action Types: - AWS > Transfer for SFTP > Connector > Delete - AWS > Transfer for SFTP > Connector > Delete from AWS - AWS > Transfer for SFTP > Connector > Router - AWS > Transfer for SFTP > Connector > Set Tags - AWS > Transfer for SFTP > Connector > Skip alarm for Active control - AWS > Transfer for SFTP > Connector > Skip alarm for Active control [90 days] - AWS > Transfer for SFTP > Connector > Skip alarm for Tags control - AWS > Transfer for SFTP > Connector > Skip alarm for Tags control [90 days] - AWS > Transfer for SFTP > Connector > Update Tags - AWS > Transfer for SFTP > Server > Delete - AWS > Transfer for SFTP > Server > Delete from AWS - AWS > Transfer for SFTP > Server > Router - AWS > Transfer for SFTP > Server > Set Tags - AWS > Transfer for SFTP > Server > Skip alarm for Active control - AWS > Transfer for SFTP > Server > Skip alarm for Active control [90 days] - AWS > Transfer for SFTP > Server > Skip alarm for Tags control - AWS > Transfer for SFTP > Server > Skip alarm for Tags control [90 days] - AWS > Transfer for SFTP > Server > Update Tags

aws-rds v5.34.0 - Identify and remove unallowed resources from CMDB

Fri, 16 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > RDS > DB Cluster > Allowed - AWS > RDS > DB Cluster > Allowed > Custom - AWS > RDS > DB Cluster > Allowed > Encryption at Rest - AWS > RDS > DB Cluster > Allowed > Region - AWS > RDS > DB Cluster Parameter Group > Allowed - AWS > RDS > DB Cluster Parameter Group > Allowed > Custom - AWS > RDS > DB Cluster Parameter Group > Allowed > Region - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed > Custom - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed > Region - AWS > RDS > DB Instance > Allowed - AWS > RDS > DB Instance > Allowed > Custom - AWS > RDS > DB Instance > Allowed > Database Engine - AWS > RDS > DB Instance > Allowed > Encryption at Rest - AWS > RDS > DB Instance > Allowed > Instance Class - AWS > RDS > DB Instance > Allowed > Region - AWS > RDS > DB Parameter Group > Allowed - AWS > RDS > DB Parameter Group > Allowed > Custom - AWS > RDS > DB Parameter Group > Allowed > Region - AWS > RDS > DB Snapshot [Manual] > Allowed - AWS > RDS > DB Snapshot [Manual] > Allowed > Custom - AWS > RDS > DB Snapshot [Manual] > Allowed > Encryption at Rest - AWS > RDS > DB Snapshot [Manual] > Allowed > Region - AWS > RDS > Global Cluster > Allowed - AWS > RDS > Global Cluster > Allowed > Custom - AWS > RDS > Option Group > Allowed - AWS > RDS > Option Group > Allowed > Custom - AWS > RDS > Option Group > Allowed > Region - AWS > RDS > Subnet Group > Allowed - AWS > RDS > Subnet Group > Allowed > Custom - AWS > RDS > Subnet Group > Allowed > Region _Policy Types_ - AWS > RDS > Allowed Regions [Default] - AWS > RDS > DB Cluster > Allowed - AWS > RDS > DB Cluster > Allowed > Custom - AWS > RDS > DB Cluster > Allowed > Custom > Rules - AWS > RDS > DB Cluster > Allowed > Encryption at Rest - AWS > RDS > DB Cluster > Allowed > Encryption at Rest > Level - AWS > RDS > DB Cluster > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > RDS > DB Cluster > Allowed > Region - AWS > RDS > DB Cluster > Allowed > Region > Regions - AWS > RDS > DB Cluster Parameter Group > Allowed - AWS > RDS > DB Cluster Parameter Group > Allowed > Custom - AWS > RDS > DB Cluster Parameter Group > Allowed > Custom > Rules - AWS > RDS > DB Cluster Parameter Group > Allowed > Region - AWS > RDS > DB Cluster Parameter Group > Allowed > Region > Regions - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed > Custom - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed > Custom > Rules - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed > Region - AWS > RDS > DB Cluster Snapshot [Manual] > Allowed > Region > Regions - AWS > RDS > DB Instance > Allowed - AWS > RDS > DB Instance > Allowed > Custom - AWS > RDS > DB Instance > Allowed > Custom > Rules - AWS > RDS > DB Instance > Allowed > Database Engine - AWS > RDS > DB Instance > Allowed > Database Engine > Engines - AWS > RDS > DB Instance > Allowed > Encryption at Rest - AWS > RDS > DB Instance > Allowed > Encryption at Rest > Level - AWS > RDS > DB Instance > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > RDS > DB Instance > Allowed > Instance Class - AWS > RDS > DB Instance > Allowed > Instance Class > Classes - AWS > RDS > DB Instance > Allowed > Region - AWS > RDS > DB Instance > Allowed > Region > Regions - AWS > RDS > DB Parameter Group > Allowed - AWS > RDS > DB Parameter Group > Allowed > Custom - AWS > RDS > DB Parameter Group > Allowed > Custom > Rules - AWS > RDS > DB Parameter Group > Allowed > Region - AWS > RDS > DB Parameter Group > Allowed > Region > Regions - AWS > RDS > DB Snapshot [Manual] > Allowed - AWS > RDS > DB Snapshot [Manual] > Allowed > Custom - AWS > RDS > DB Snapshot [Manual] > Allowed > Custom > Rules - AWS > RDS > DB Snapshot [Manual] > Allowed > Encryption at Rest - AWS > RDS > DB Snapshot [Manual] > Allowed > Encryption at Rest > Level - AWS > RDS > DB Snapshot [Manual] > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > RDS > DB Snapshot [Manual] > Allowed > Region - AWS > RDS > DB Snapshot [Manual] > Allowed > Region > Regions - AWS > RDS > Global Cluster > Allowed - AWS > RDS > Global Cluster > Allowed > Custom - AWS > RDS > Global Cluster > Allowed > Custom > Rules - AWS > RDS > Option Group > Allowed - AWS > RDS > Option Group > Allowed > Custom - AWS > RDS > Option Group > Allowed > Custom > Rules - AWS > RDS > Option Group > Allowed > Region - AWS > RDS > Option Group > Allowed > Region > Regions - AWS > RDS > Subnet Group > Allowed - AWS > RDS > Subnet Group > Allowed > Custom - AWS > RDS > Subnet Group > Allowed > Custom > Rules - AWS > RDS > Subnet Group > Allowed > Region - AWS > RDS > Subnet Group > Allowed > Region > Regions _Bug fixes_ - The `AWS > RDS > DB Instance > Approved` control previously entered an alarm state when validating encryption at rest for DB instances encrypted with customer managed keys, particularly when validating against KMS key aliases. The control has been updated to correctly handle both data structure formats, ensuring accurate encryption validation in all cases.

aws-comprehend v5.4.0 - Track and manage document classifier and flywheel resources in Guardrails

Fri, 16 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > Comprehend > Document Classifier - AWS > Comprehend > Flywheel - Control Types: - AWS > Comprehend > Document Classifier > Active - AWS > Comprehend > Document Classifier > Allowed - AWS > Comprehend > Document Classifier > Allowed > Custom - AWS > Comprehend > Document Classifier > Allowed > Region - AWS > Comprehend > Document Classifier > CMDB - AWS > Comprehend > Document Classifier > Discovery - AWS > Comprehend > Document Classifier > Tags - AWS > Comprehend > Document Classifier > Usage - AWS > Comprehend > Flywheel > Active - AWS > Comprehend > Flywheel > CMDB - AWS > Comprehend > Flywheel > Discovery - AWS > Comprehend > Flywheel > Tags - Policy Types: - AWS > Comprehend > Document Classifier > Active - AWS > Comprehend > Document Classifier > Active > Age - AWS > Comprehend > Document Classifier > Active > Last Modified - AWS > Comprehend > Document Classifier > Allowed - AWS > Comprehend > Document Classifier > Allowed > Custom - AWS > Comprehend > Document Classifier > Allowed > Custom > Rules - AWS > Comprehend > Document Classifier > Allowed > Region - AWS > Comprehend > Document Classifier > Allowed > Region > Regions - AWS > Comprehend > Document Classifier > CMDB - AWS > Comprehend > Document Classifier > Regions - AWS > Comprehend > Document Classifier > Tags - AWS > Comprehend > Document Classifier > Tags > Template - AWS > Comprehend > Document Classifier > Usage - AWS > Comprehend > Document Classifier > Usage > Limit - AWS > Comprehend > Flywheel > Active - AWS > Comprehend > Flywheel > Active > Age - AWS > Comprehend > Flywheel > Active > Last Modified - AWS > Comprehend > Flywheel > CMDB - AWS > Comprehend > Flywheel > Regions - AWS > Comprehend > Flywheel > Tags - AWS > Comprehend > Flywheel > Tags > Template - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-comprehend - Action Types: - AWS > Comprehend > Document Classifier > Delete - AWS > Comprehend > Document Classifier > Delete from AWS - AWS > Comprehend > Document Classifier > Router - AWS > Comprehend > Document Classifier > Set Tags - AWS > Comprehend > Document Classifier > Skip alarm for Active control - AWS > Comprehend > Document Classifier > Skip alarm for Active control [90 days] - AWS > Comprehend > Document Classifier > Skip alarm for Tags control - AWS > Comprehend > Document Classifier > Skip alarm for Tags control [90 days] - AWS > Comprehend > Document Classifier > Update Tags - AWS > Comprehend > Flywheel > Delete - AWS > Comprehend > Flywheel > Delete from AWS - AWS > Comprehend > Flywheel > Router - AWS > Comprehend > Flywheel > Set Tags - AWS > Comprehend > Flywheel > Skip alarm for Active control - AWS > Comprehend > Flywheel > Skip alarm for Active control [90 days] - AWS > Comprehend > Flywheel > Skip alarm for Tags control - AWS > Comprehend > Flywheel > Skip alarm for Tags control [90 days] - AWS > Comprehend > Flywheel > Update Tags

Turbot Guardrails Enterprise (TE) v5.56.0 - Introducing Preventive Security Posture Management (PSPM)

Wed, 14 Jan 2026 09:00:00 GMT

_What's new?_ This release introduces Preventive Security Posture Management, a new approach to cloud security that shifts from reactive detection to proactive prevention. Rather than discovering misconfigurations after deployment, Guardrails now helps you block risky changes before they reach your cloud environments. Key capabilities include: - **Visualize** your preventive posture across AWS, Azure, and GCP with dashboards that highlight gaps and anomalies. - **Assess** prevention maturity against industry benchmarks like CIS and NIST, with scoring from Level 0 (no prevention) to Level 5 (defense in depth). - **Simulate** policy impact by testing against real CloudTrail data before enforcement, so you can see affected accounts and resources without production risk. - **Deploy** controls with prescriptive recommendations, ready-to-use policy JSON, and tailored guidance while tracking effectiveness over time. Read more at [turbot.com/blog/2025/12/pspm-announcement](https://turbot.com/blog/2025/12/pspm-announcement). _Requirements_ - Upgrade to `5.56.0` requires your workspace to be on `5.55.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.57.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws v5.43.1 - CMDB control for account will no longer enter an error state for workspaces on TE v5.55.0 or lower

Wed, 14 Jan 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > Account > CMDB` control entered an error state in workspaces on TE versions 5.55.0 or earlier due to incorrect metadata dependencies. This issue has now been fixed.

aws-msk v5.8.1 - Fixed incorrect target references in serverless cluster usage control and policies

Wed, 14 Jan 2026 09:00:00 GMT

_Bug fixes_ - Fixed incorrect target references in `AWS > MSK > Serverless Cluster > Usage` control and `AWS > MSK > Serverless Cluster > Usage > *` policies. _Action Types_ _Renamed_ - AWS > MSK > Serverless Cluster > Skip Active alarm to AWS > MSK > Serverless Cluster > Skip alarm for Active control - AWS > MSK > Serverless Cluster > Skip Active alarm for 90 days to AWS > MSK > Serverless Cluster > Skip alarm for Active control [90 days]

Turbot Guardrails Enterprise (TE) v5.54.8 - Version bump to align with deployment requirements

Tue, 13 Jan 2026 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.54.8` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.54.7 - Version bump to align with deployment requirements

Tue, 13 Jan 2026 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.54.7` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws v5.43.0 - CMDB control for organization will no longer enter an error state for workspaces on TE v5.55.0 or lower

Tue, 13 Jan 2026 09:00:00 GMT

_Bug fixes_ - The `AWS > Organization > CMDB` control previously entered an error state in workspaces running TE versions earlier than 5.56.0. This issue has now been resolved. - Added support for `Discovery Level` for Root and Organization Unit resource types. _What's new?_ _Policy Types_ - Turbot > Discovery Level > Materialization Exceptions > @turbot/aws

aws-msk v5.8.0 - Track and manage serverless cluster and VPC connection resources in Guardrails

Tue, 13 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > MSK > Serverless Cluster - AWS > MSK > VPC Connection - Control Types: - AWS > MSK > Serverless Cluster > Active - AWS > MSK > Serverless Cluster > Allowed - AWS > MSK > Serverless Cluster > Allowed > Custom - AWS > MSK > Serverless Cluster > Allowed > Region - AWS > MSK > Serverless Cluster > CMDB - AWS > MSK > Serverless Cluster > Discovery - AWS > MSK > Serverless Cluster > Tags - AWS > MSK > Serverless Cluster > Usage - AWS > MSK > VPC Connection > Active - AWS > MSK > VPC Connection > Allowed - AWS > MSK > VPC Connection > Allowed > Custom - AWS > MSK > VPC Connection > Allowed > Region - AWS > MSK > VPC Connection > CMDB - AWS > MSK > VPC Connection > Discovery - AWS > MSK > VPC Connection > Tags - Policy Types: - AWS > MSK > Serverless Cluster > Active - AWS > MSK > Serverless Cluster > Active > Age - AWS > MSK > Serverless Cluster > Active > Budget - AWS > MSK > Serverless Cluster > Active > Last Modified - AWS > MSK > Serverless Cluster > Allowed - AWS > MSK > Serverless Cluster > Allowed > Custom - AWS > MSK > Serverless Cluster > Allowed > Custom > Rules - AWS > MSK > Serverless Cluster > Allowed > Region - AWS > MSK > Serverless Cluster > Allowed > Region > Regions - AWS > MSK > Serverless Cluster > CMDB - AWS > MSK > Serverless Cluster > Regions - AWS > MSK > Serverless Cluster > Tags - AWS > MSK > Serverless Cluster > Tags > Template - AWS > MSK > Serverless Cluster > Usage - AWS > MSK > Serverless Cluster > Usage > Limit - AWS > MSK > VPC Connection > Active - AWS > MSK > VPC Connection > Active > Age - AWS > MSK > VPC Connection > Active > Last Modified - AWS > MSK > VPC Connection > Allowed - AWS > MSK > VPC Connection > Allowed > Custom - AWS > MSK > VPC Connection > Allowed > Custom > Rules - AWS > MSK > VPC Connection > Allowed > Region - AWS > MSK > VPC Connection > Allowed > Region > Regions - AWS > MSK > VPC Connection > CMDB - AWS > MSK > VPC Connection > Regions - AWS > MSK > VPC Connection > Tags - AWS > MSK > VPC Connection > Tags > Template - Action Types: - AWS > MSK > Serverless Cluster > Delete - AWS > MSK > Serverless Cluster > Delete from AWS - AWS > MSK > Serverless Cluster > Router - AWS > MSK > Serverless Cluster > Set Tags - AWS > MSK > Serverless Cluster > Skip Active alarm - AWS > MSK > Serverless Cluster > Skip Active alarm for 90 days - AWS > MSK > Serverless Cluster > Skip alarm for Tags control - AWS > MSK > Serverless Cluster > Skip alarm for Tags control [90 days] - AWS > MSK > Serverless Cluster > Update Tags - AWS > MSK > VPC Connection > Delete - AWS > MSK > VPC Connection > Delete from AWS - AWS > MSK > VPC Connection > Router - AWS > MSK > VPC Connection > Set Tags - AWS > MSK > VPC Connection > Skip alarm for Active control - AWS > MSK > VPC Connection > Skip alarm for Active control [90 days] - AWS > MSK > VPC Connection > Skip alarm for Tags control - AWS > MSK > VPC Connection > Skip alarm for Tags control [90 days] - AWS > MSK > VPC Connection > Update Tags

turbot v5.57.1 - Fixed issues on Policy Pack Summary control

Mon, 12 Jan 2026 09:00:00 GMT

_Bug fixes_ - The `Turbot > Policy Pack > Summary` control would go into an error state due to incorrect policy type dependencies. This is now fixed.

guardrails-prevention v5.0.0 is now available

Mon, 12 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - Turbot > Control Prevention - Turbot > Control Prevention > Discovery

aws-prevention v5.0.0 is now available

Mon, 12 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > CloudFormation > Hook > Prevention - AWS > CloudFormation > Hook > Prevention > Discovery - AWS > Control Tower > Enabled Control > Prevention - AWS > Control Tower > Enabled Control > Prevention > Discovery - AWS > EC2 > Account Attributes > Prevention - AWS > EC2 > Account Attributes > Prevention > Discovery - AWS > IAM > Account Password Policy > Prevention - AWS > IAM > Account Password Policy > Prevention > Discovery - AWS > Organizations > Resource Control Policy > Deny Statement Prevention - AWS > Organizations > Resource Control Policy > Deny Statement Prevention > Discovery - AWS > Organizations > Service Control Policy > Allow Boundary Prevention - AWS > Organizations > Service Control Policy > Allow Boundary Prevention > Discovery - AWS > Organizations > Service Control Policy > Deny Statement Prevention - AWS > Organizations > Service Control Policy > Deny Statement Prevention > Discovery - AWS > S3 > Account > Prevention - AWS > S3 > Account > Prevention > Discovery _Prevention Types_ - AWS CloudFormation Hook - AWS Control Tower Preventive Control - AWS Control Tower Proactive Control - AWS EC2 Account Attribute - AWS IAM Account Password Policy - AWS RCP Deny Statement - AWS S3 Account - AWS SCP Allow Boundary - AWS SCP Deny Statement _Prevention Benchmarks_ - AWS CIS v6.0.0 - AWS NIST 800-53 Rev 5 - AWS P1 Preventions - AWS PCI DSS v4

aws-fsx v5.7.0 - Track and manage volume and storage virtual machine resources in Guardrails

Mon, 12 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > FSx > Storage Virtual Machine - AWS > FSx > Volume - Control Types: - AWS > FSx > Storage Virtual Machine > Active - AWS > FSx > Storage Virtual Machine > Allowed - AWS > FSx > Storage Virtual Machine > Allowed > Custom - AWS > FSx > Storage Virtual Machine > Allowed > Region - AWS > FSx > Storage Virtual Machine > CMDB - AWS > FSx > Storage Virtual Machine > Discovery - AWS > FSx > Storage Virtual Machine > Tags - AWS > FSx > Volume > Active - AWS > FSx > Volume > Allowed - AWS > FSx > Volume > Allowed > Custom - AWS > FSx > Volume > Allowed > Region - AWS > FSx > Volume > CMDB - AWS > FSx > Volume > Discovery - AWS > FSx > Volume > Tags - Policy Types: - AWS > FSx > Storage Virtual Machine > Active - AWS > FSx > Storage Virtual Machine > Active > Age - AWS > FSx > Storage Virtual Machine > Active > Budget - AWS > FSx > Storage Virtual Machine > Active > Last Modified - AWS > FSx > Storage Virtual Machine > Allowed - AWS > FSx > Storage Virtual Machine > Allowed > Custom - AWS > FSx > Storage Virtual Machine > Allowed > Custom > Rules - AWS > FSx > Storage Virtual Machine > Allowed > Region - AWS > FSx > Storage Virtual Machine > Allowed > Region > Regions - AWS > FSx > Storage Virtual Machine > CMDB - AWS > FSx > Storage Virtual Machine > Regions - AWS > FSx > Storage Virtual Machine > Tags - AWS > FSx > Storage Virtual Machine > Tags > Template - AWS > FSx > Volume > Active - AWS > FSx > Volume > Active > Age - AWS > FSx > Volume > Active > Budget - AWS > FSx > Volume > Active > Last Modified - AWS > FSx > Volume > Allowed - AWS > FSx > Volume > Allowed > Custom - AWS > FSx > Volume > Allowed > Custom > Rules - AWS > FSx > Volume > Allowed > Region - AWS > FSx > Volume > Allowed > Region > Regions - AWS > FSx > Volume > CMDB - AWS > FSx > Volume > Regions - AWS > FSx > Volume > Tags - AWS > FSx > Volume > Tags > Template - Action Types: - AWS > FSx > Storage Virtual Machine > Delete - AWS > FSx > Storage Virtual Machine > Delete from AWS - AWS > FSx > Storage Virtual Machine > Router - AWS > FSx > Storage Virtual Machine > Set Tags - AWS > FSx > Storage Virtual Machine > Skip alarm for Active control - AWS > FSx > Storage Virtual Machine > Skip alarm for Active control [90 days] - AWS > FSx > Storage Virtual Machine > Skip alarm for Tags control - AWS > FSx > Storage Virtual Machine > Skip alarm for Tags control [90 days] - AWS > FSx > Storage Virtual Machine > Update Tags - AWS > FSx > Volume > Delete - AWS > FSx > Volume > Delete from AWS - AWS > FSx > Volume > Router - AWS > FSx > Volume > Set Tags - AWS > FSx > Volume > Skip alarm for Active control - AWS > FSx > Volume > Skip alarm for Active control [90 days] - AWS > FSx > Volume > Skip alarm for Tags control - AWS > FSx > Volume > Skip alarm for Tags control [90 days] - AWS > FSx > Volume > Update Tags

aws-datasync v5.2.0 - Track and manage agent resources in Guardrails

Mon, 12 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > DataSync > Agent - Control Types: - AWS > DataSync > Agent > Active - AWS > DataSync > Agent > Allowed - AWS > DataSync > Agent > Allowed > Custom - AWS > DataSync > Agent > Allowed > Region - AWS > DataSync > Agent > CMDB - AWS > DataSync > Agent > Discovery - AWS > DataSync > Agent > Router - AWS > DataSync > Agent > Tags - Policy Types: - AWS > DataSync > Agent > Active - AWS > DataSync > Agent > Active > Age - AWS > DataSync > Agent > Active > Budget - AWS > DataSync > Agent > Active > Last Modified - AWS > DataSync > Agent > Allowed - AWS > DataSync > Agent > Allowed > Custom - AWS > DataSync > Agent > Allowed > Custom > Rules - AWS > DataSync > Agent > Allowed > Region - AWS > DataSync > Agent > Allowed > Region > Regions - AWS > DataSync > Agent > CMDB - AWS > DataSync > Agent > Regions - AWS > DataSync > Agent > Tags - AWS > DataSync > Agent > Tags > Template - AWS > DataSync > Allowed Regions [Default] - AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-datasync - Action Types: - AWS > DataSync > Agent > Delete - AWS > DataSync > Agent > Delete from AWS - AWS > DataSync > Agent > Set Tags - AWS > DataSync > Agent > Skip alarm for Active control - AWS > DataSync > Agent > Skip alarm for Active control [90 days] - AWS > DataSync > Agent > Skip alarm for Tags control - AWS > DataSync > Agent > Skip alarm for Tags control [90 days] - AWS > DataSync > Agent > Update Tags

Turbot Guardrails CLI v1.31.0 - Enhanced mod development with control and resource commands

Mon, 12 Jan 2026 09:00:00 GMT

_What's new?_ - Added `turbot control` and `turbot resource` commands for **streamlined mod development workflows**, making it easier to test and validate controls and resources during development. - Improved `turbot up` performance with **incremental compose**, reducing deployment times for iterative development. - Enhanced testing capabilities with new `--runnable` and `--resource` flags for control and policy input queries, enabling more precise testing scenarios. _Bug fixes_ - Fixed missing `flattenBenchmarks` filter in `turbot inspect` command for accurate benchmark analysis.

aws-quicksight v5.4.0 - Various new resource types for QuickSight are now available

Fri, 09 Jan 2026 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > QuickSight > Analysis - AWS > QuickSight > Dashboard - AWS > QuickSight > Data Set - AWS > QuickSight > Data Source - AWS > QuickSight > VPC Connection - Control Types: - AWS > QuickSight > Analysis > Active - AWS > QuickSight > Analysis > Allowed - AWS > QuickSight > Analysis > Allowed > Custom - AWS > QuickSight > Analysis > Allowed > Region - AWS > QuickSight > Analysis > CMDB - AWS > QuickSight > Analysis > Discovery - AWS > QuickSight > Analysis > Tags - AWS > QuickSight > Dashboard > Active - AWS > QuickSight > Dashboard > Allowed - AWS > QuickSight > Dashboard > Allowed > Custom - AWS > QuickSight > Dashboard > Allowed > Region - AWS > QuickSight > Dashboard > CMDB - AWS > QuickSight > Dashboard > Discovery - AWS > QuickSight > Dashboard > Tags - AWS > QuickSight > Data Set > Active - AWS > QuickSight > Data Set > Allowed - AWS > QuickSight > Data Set > Allowed > Custom - AWS > QuickSight > Data Set > Allowed > Region - AWS > QuickSight > Data Set > CMDB - AWS > QuickSight > Data Set > Discovery - AWS > QuickSight > Data Set > Tags - AWS > QuickSight > Data Source > Active - AWS > QuickSight > Data Source > Allowed - AWS > QuickSight > Data Source > Allowed > Custom - AWS > QuickSight > Data Source > Allowed > Region - AWS > QuickSight > Data Source > CMDB - AWS > QuickSight > Data Source > Discovery - AWS > QuickSight > Data Source > Tags - AWS > QuickSight > VPC Connection > Active - AWS > QuickSight > VPC Connection > Allowed - AWS > QuickSight > VPC Connection > Allowed > Custom - AWS > QuickSight > VPC Connection > Allowed > Region - AWS > QuickSight > VPC Connection > CMDB - AWS > QuickSight > VPC Connection > Discovery - AWS > QuickSight > VPC Connection > Tags - Policy Types: - AWS > QuickSight > Allowed Regions [Default] - AWS > QuickSight > Analysis > Active - AWS > QuickSight > Analysis > Active > Age - AWS > QuickSight > Analysis > Active > Last Modified - AWS > QuickSight > Analysis > Allowed - AWS > QuickSight > Analysis > Allowed > Custom - AWS > QuickSight > Analysis > Allowed > Custom > Rules - AWS > QuickSight > Analysis > Allowed > Region - AWS > QuickSight > Analysis > Allowed > Region > Regions - AWS > QuickSight > Analysis > CMDB - AWS > QuickSight > Analysis > Regions - AWS > QuickSight > Analysis > Tags - AWS > QuickSight > Analysis > Tags > Template - AWS > QuickSight > Dashboard > Active - AWS > QuickSight > Dashboard > Active > Age - AWS > QuickSight > Dashboard > Active > Last Modified - AWS > QuickSight > Dashboard > Allowed - AWS > QuickSight > Dashboard > Allowed > Custom - AWS > QuickSight > Dashboard > Allowed > Custom > Rules - AWS > QuickSight > Dashboard > Allowed > Region - AWS > QuickSight > Dashboard > Allowed > Region > Regions - AWS > QuickSight > Dashboard > CMDB - AWS > QuickSight > Dashboard > Regions - AWS > QuickSight > Dashboard > Tags - AWS > QuickSight > Dashboard > Tags > Template - AWS > QuickSight > Data Set > Active - AWS > QuickSight > Data Set > Active > Age - AWS > QuickSight > Data Set > Active > Last Modified - AWS > QuickSight > Data Set > Allowed - AWS > QuickSight > Data Set > Allowed > Custom - AWS > QuickSight > Data Set > Allowed > Custom > Rules - AWS > QuickSight > Data Set > Allowed > Region - AWS > QuickSight > Data Set > Allowed > Region > Regions - AWS > QuickSight > Data Set > CMDB - AWS > QuickSight > Data Set > Regions - AWS > QuickSight > Data Set > Tags - AWS > QuickSight > Data Set > Tags > Template - AWS > QuickSight > Data Source > Active - AWS > QuickSight > Data Source > Active > Age - AWS > QuickSight > Data Source > Active > Last Modified - AWS > QuickSight > Data Source > Allowed - AWS > QuickSight > Data Source > Allowed > Custom - AWS > QuickSight > Data Source > Allowed > Custom > Rules - AWS > QuickSight > Data Source > Allowed > Region - AWS > QuickSight > Data Source > Allowed > Region > Regions - AWS > QuickSight > Data Source > CMDB - AWS > QuickSight > Data Source > Regions - AWS > QuickSight > Data Source > Tags - AWS > QuickSight > Data Source > Tags > Template - AWS > QuickSight > VPC Connection > Active - AWS > QuickSight > VPC Connection > Active > Age - AWS > QuickSight > VPC Connection > Active > Last Modified - AWS > QuickSight > VPC Connection > Allowed - AWS > QuickSight > VPC Connection > Allowed > Custom - AWS > QuickSight > VPC Connection > Allowed > Custom > Rules - AWS > QuickSight > VPC Connection > Allowed > Region - AWS > QuickSight > VPC Connection > Allowed > Region > Regions - AWS > QuickSight > VPC Connection > CMDB - AWS > QuickSight > VPC Connection > Regions - AWS > QuickSight > VPC Connection > Tags - AWS > QuickSight > VPC Connection > Tags > Template - Action Types: - AWS > QuickSight > Analysis > Delete - AWS > QuickSight > Analysis > Delete from AWS - AWS > QuickSight > Analysis > Router - AWS > QuickSight > Analysis > Set Tags - AWS > QuickSight > Analysis > Skip alarm for Active control - AWS > QuickSight > Analysis > Skip alarm for Active control [90 days] - AWS > QuickSight > Analysis > Skip alarm for Tags control - AWS > QuickSight > Analysis > Skip alarm for Tags control [90 days] - AWS > QuickSight > Analysis > Update Tags - AWS > QuickSight > Dashboard > Delete - AWS > QuickSight > Dashboard > Delete from AWS - AWS > QuickSight > Dashboard > Router - AWS > QuickSight > Dashboard > Set Tags - AWS > QuickSight > Dashboard > Skip alarm for Active control - AWS > QuickSight > Dashboard > Skip alarm for Active control [90 days] - AWS > QuickSight > Dashboard > Skip alarm for Tags control - AWS > QuickSight > Dashboard > Skip alarm for Tags control [90 days] - AWS > QuickSight > Dashboard > Update Tags - AWS > QuickSight > Data Set > Delete - AWS > QuickSight > Data Set > Delete from AWS - AWS > QuickSight > Data Set > Router - AWS > QuickSight > Data Set > Set Tags - AWS > QuickSight > Data Set > Skip alarm for Active control - AWS > QuickSight > Data Set > Skip alarm for Active control [90 days] - AWS > QuickSight > Data Set > Skip alarm for Tags control - AWS > QuickSight > Data Set > Skip alarm for Tags control [90 days] - AWS > QuickSight > Data Set > Update Tags - AWS > QuickSight > Data Source > Delete - AWS > QuickSight > Data Source > Delete from AWS - AWS > QuickSight > Data Source > Router - AWS > QuickSight > Data Source > Set Tags - AWS > QuickSight > Data Source > Skip alarm for Active control - AWS > QuickSight > Data Source > Skip alarm for Active control [90 days] - AWS > QuickSight > Data Source > Skip alarm for Tags control - AWS > QuickSight > Data Source > Skip alarm for Tags control [90 days] - AWS > QuickSight > Data Source > Update Tags - AWS > QuickSight > VPC Connection > Delete - AWS > QuickSight > VPC Connection > Delete from AWS - AWS > QuickSight > VPC Connection > Router - AWS > QuickSight > VPC Connection > Set Tags - AWS > QuickSight > VPC Connection > Skip alarm for Active control - AWS > QuickSight > VPC Connection > Skip alarm for Active control [90 days] - AWS > QuickSight > VPC Connection > Skip alarm for Tags control - AWS > QuickSight > VPC Connection > Skip alarm for Tags control [90 days] - AWS > QuickSight > VPC Connection > Update Tags

turbot v5.57.0 - Configure AI features using AWS Bedrock and Azure OpenAI credentials

Wed, 07 Jan 2026 09:00:00 GMT

_What's new?_ - Added support for AWS Bedrock and Azure OpenAI to enable AI-powered features across Guardrails. - Added the `Turbot > Discovery Level > Materialization` control and `Turbot > Discovery Level > Materialization Exceptions` policy to manage discovery level materialization behavior. _Policy Types_ - Turbot > Discovery Level > Materialization Exceptions - Turbot > AI - Turbot > AI > Configuration - Turbot > AI > Configuration > Provider [Default] - Turbot > AI > Features > Enabled [Default] - Turbot > AI > Configuration > AWS - Turbot > AI > Configuration > AWS > Bedrock - Turbot > AI > Configuration > AWS > Bedrock > Inference Profile ARN - Turbot > AI > Configuration > AWS > Bedrock > Long-Term API Key - Turbot > AI > Configuration > Anthropic - Turbot > AI > Configuration > Anthropic > API Key - Turbot > AI > Configuration > Anthropic > Model - Turbot > AI > Configuration > Azure - Turbot > AI > Configuration > Azure > OpenAI - Turbot > AI > Configuration > Azure > OpenAI > API Key - Turbot > AI > Configuration > Azure > OpenAI > Deployment - Turbot > AI > Configuration > Azure > OpenAI > Resource Name - Turbot > AI > Configuration > OpenAI - Turbot > AI > Configuration > OpenAI > API Key - Turbot > AI > Configuration > OpenAI > Model _Control Types_ - Turbot > Discovery Level > Materialization

aws-ses v5.7.0 - Identify and remove unallowed resources from CMDB

Wed, 07 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > SES > Identity > Allowed - AWS > SES > Identity > Allowed > Custom - AWS > SES > Identity > Allowed > Region _Policy Types_ - AWS > SES > Allowed Regions [Default] - AWS > SES > Identity > Allowed - AWS > SES > Identity > Allowed > Custom - AWS > SES > Identity > Allowed > Custom > Rules - AWS > SES > Identity > Allowed > Region - AWS > SES > Identity > Allowed > Region > Regions

aws-cloudfront v5.9.0 - Identify and remove unallowed resources from CMDB

Wed, 07 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > CloudFront > CloudFront Origin Access Identity > Allowed - AWS > CloudFront > CloudFront Origin Access Identity > Allowed > Custom - AWS > CloudFront > Distribution > Allowed - AWS > CloudFront > Distribution > Allowed > Custom - AWS > CloudFront > Streaming Distribution > Allowed - AWS > CloudFront > Streaming Distribution > Allowed > Custom - AWS > CloudFront > Streaming Distribution > Allowed > Region _Policy Types_ - AWS > CloudFront > Allowed Regions [Default] - AWS > CloudFront > Approved Regions [Default] - AWS > CloudFront > CloudFront Origin Access Identity > Allowed - AWS > CloudFront > CloudFront Origin Access Identity > Allowed > Custom - AWS > CloudFront > CloudFront Origin Access Identity > Allowed > Custom > Rules - AWS > CloudFront > Distribution > Allowed - AWS > CloudFront > Distribution > Allowed > Custom - AWS > CloudFront > Distribution > Allowed > Custom > Rules - AWS > CloudFront > Regions - AWS > CloudFront > Streaming Distribution > Allowed - AWS > CloudFront > Streaming Distribution > Allowed > Custom - AWS > CloudFront > Streaming Distribution > Allowed > Custom > Rules - AWS > CloudFront > Streaming Distribution > Allowed > Region - AWS > CloudFront > Streaming Distribution > Allowed > Region > Regions

aws-appstream v5.6.0 - Identify and remove unallowed resources from CMDB

Wed, 07 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > AppStream > Fleet > Allowed - AWS > AppStream > Fleet > Allowed > Custom - AWS > AppStream > Fleet > Allowed > Region - AWS > AppStream > Image > Allowed - AWS > AppStream > Image > Allowed > Custom - AWS > AppStream > Image > Allowed > Region - AWS > AppStream > Image Builder > Allowed - AWS > AppStream > Image Builder > Allowed > Custom - AWS > AppStream > Image Builder > Allowed > Region - AWS > AppStream > User > Allowed - AWS > AppStream > User > Allowed > Custom - AWS > AppStream > User > Allowed > Region _Policy Types_ - AWS > AppStream > Allowed Regions [Default] - AWS > AppStream > Fleet > Allowed - AWS > AppStream > Fleet > Allowed > Custom - AWS > AppStream > Fleet > Allowed > Custom > Rules - AWS > AppStream > Fleet > Allowed > Region - AWS > AppStream > Fleet > Allowed > Region > Regions - AWS > AppStream > Image > Allowed - AWS > AppStream > Image > Allowed > Custom - AWS > AppStream > Image > Allowed > Custom > Rules - AWS > AppStream > Image > Allowed > Region - AWS > AppStream > Image > Allowed > Region > Regions - AWS > AppStream > Image Builder > Allowed - AWS > AppStream > Image Builder > Allowed > Custom - AWS > AppStream > Image Builder > Allowed > Custom > Rules - AWS > AppStream > Image Builder > Allowed > Region - AWS > AppStream > Image Builder > Allowed > Region > Regions - AWS > AppStream > User > Allowed - AWS > AppStream > User > Allowed > Custom - AWS > AppStream > User > Allowed > Custom > Rules - AWS > AppStream > User > Allowed > Region - AWS > AppStream > User > Allowed > Region > Regions

Turbot Guardrails Enterprise Database (TED) v1.52.0 - Added support for PostgreSQL versions 15.14, 16.10, 16.11, 17.6 and 17.7

Tue, 06 Jan 2026 09:00:00 GMT

_What's new?_ - Added support for PostgreSQL version 15.14, 16.10, 16.11, 17.6 and 17.7. - Added support for Valkey cache v8.1 and v8.2.

aws-vpc-security v5.16.0 - Identify and remove unallowed resources from CMDB

Tue, 06 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > VPC > Flow Log > Allowed - AWS > VPC > Flow Log > Allowed > Custom - AWS > VPC > Flow Log > Allowed > Region - AWS > VPC > Network ACL > Allowed - AWS > VPC > Network ACL > Allowed > Custom - AWS > VPC > Network ACL > Allowed > Region - AWS > VPC > Security Group > Allowed - AWS > VPC > Security Group > Allowed > Custom - AWS > VPC > Security Group > Allowed > Region _Policy Types_ - AWS > VPC > Flow Log > Allowed - AWS > VPC > Flow Log > Allowed > Custom - AWS > VPC > Flow Log > Allowed > Custom > Rules - AWS > VPC > Flow Log > Allowed > Region - AWS > VPC > Flow Log > Allowed > Region > Regions - AWS > VPC > Network ACL > Allowed - AWS > VPC > Network ACL > Allowed > Custom - AWS > VPC > Network ACL > Allowed > Custom > Rules - AWS > VPC > Network ACL > Allowed > Region - AWS > VPC > Network ACL > Allowed > Region > Regions - AWS > VPC > Security Group > Allowed - AWS > VPC > Security Group > Allowed > Custom - AWS > VPC > Security Group > Allowed > Custom > Rules - AWS > VPC > Security Group > Allowed > Region - AWS > VPC > Security Group > Allowed > Region > Regions

aws-vpc-core v5.24.0 - Identify and remove unallowed resources from CMDB

Tue, 06 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > VPC > DHCP Options > Allowed - AWS > VPC > DHCP Options > Allowed > Custom - AWS > VPC > DHCP Options > Allowed > Region - AWS > VPC > Route Table > Allowed - AWS > VPC > Route Table > Allowed > Custom - AWS > VPC > Route Table > Allowed > Region - AWS > VPC > Subnet > Allowed - AWS > VPC > Subnet > Allowed > Custom - AWS > VPC > Subnet > Allowed > Region - AWS > VPC > VPC > Allowed - AWS > VPC > VPC > Allowed > Custom - AWS > VPC > VPC > Allowed > Region _Policy Types_ - AWS > VPC > Allowed Regions [Default] - AWS > VPC > DHCP Options > Allowed - AWS > VPC > DHCP Options > Allowed > Custom - AWS > VPC > DHCP Options > Allowed > Custom > Rules - AWS > VPC > DHCP Options > Allowed > Region - AWS > VPC > DHCP Options > Allowed > Region > Regions - AWS > VPC > Route Table > Allowed - AWS > VPC > Route Table > Allowed > Custom - AWS > VPC > Route Table > Allowed > Custom > Rules - AWS > VPC > Route Table > Allowed > Region - AWS > VPC > Route Table > Allowed > Region > Regions - AWS > VPC > Subnet > Allowed - AWS > VPC > Subnet > Allowed > Custom - AWS > VPC > Subnet > Allowed > Custom > Rules - AWS > VPC > Subnet > Allowed > Region - AWS > VPC > Subnet > Allowed > Region > Regions - AWS > VPC > VPC > Allowed - AWS > VPC > VPC > Allowed > Custom - AWS > VPC > VPC > Allowed > Custom > Rules - AWS > VPC > VPC > Allowed > Region - AWS > VPC > VPC > Allowed > Region > Regions

aws-stepfunctions v5.9.0 - Identify and remove unallowed resources from CMDB

Tue, 06 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Step Functions > State Machine > Allowed - AWS > Step Functions > State Machine > Allowed > Custom - AWS > Step Functions > State Machine > Allowed > Region _Policy Types_ - AWS > Step Functions > Allowed Regions [Default] - AWS > Step Functions > State Machine > Allowed - AWS > Step Functions > State Machine > Allowed > Custom - AWS > Step Functions > State Machine > Allowed > Custom > Rules - AWS > Step Functions > State Machine > Allowed > Region - AWS > Step Functions > State Machine > Allowed > Region > Regions

aws-eks v5.10.0 - Identify and remove unallowed resources from CMDB

Tue, 06 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > EKS > Cluster > Allowed - AWS > EKS > Cluster > Allowed > Custom - AWS > EKS > Cluster > Allowed > Region - AWS > EKS > Node Group > Allowed - AWS > EKS > Node Group > Allowed > AMI Type - AWS > EKS > Node Group > Allowed > Custom - AWS > EKS > Node Group > Allowed > Instance Type - AWS > EKS > Node Group > Allowed > Region _Policy Types_ - AWS > EKS > Allowed Regions [Default] - AWS > EKS > Cluster > Allowed - AWS > EKS > Cluster > Allowed > Custom - AWS > EKS > Cluster > Allowed > Custom > Rules - AWS > EKS > Cluster > Allowed > Region - AWS > EKS > Cluster > Allowed > Region > Regions - AWS > EKS > Node Group > Allowed - AWS > EKS > Node Group > Allowed > AMI Type - AWS > EKS > Node Group > Allowed > AMI Type > AMI Types - AWS > EKS > Node Group > Allowed > Custom - AWS > EKS > Node Group > Allowed > Custom > Rules - AWS > EKS > Node Group > Allowed > Instance Type - AWS > EKS > Node Group > Allowed > Instance Type > Instance Types - AWS > EKS > Node Group > Allowed > Region - AWS > EKS > Node Group > Allowed > Region > Regions

aws-bedrock v5.4.0 - Identify and remove unallowed resources from CMDB

Tue, 06 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Bedrock > Agent > Allowed - AWS > Bedrock > Agent > Allowed > Custom - AWS > Bedrock > Agent > Allowed > Encryption at Rest - AWS > Bedrock > Agent > Allowed > Region - AWS > Bedrock > Custom Model > Allowed - AWS > Bedrock > Custom Model > Allowed > Custom - AWS > Bedrock > Custom Model > Allowed > Region - AWS > Bedrock > Imported Model > Allowed - AWS > Bedrock > Imported Model > Allowed > Custom - AWS > Bedrock > Imported Model > Allowed > Region - AWS > Bedrock > Knowledge Base > Allowed - AWS > Bedrock > Knowledge Base > Allowed > Custom - AWS > Bedrock > Knowledge Base > Allowed > Region _Policy Types_ - AWS > Bedrock > Agent > Allowed - AWS > Bedrock > Agent > Allowed > Custom - AWS > Bedrock > Agent > Allowed > Custom > Rules - AWS > Bedrock > Agent > Allowed > Encryption at Rest - AWS > Bedrock > Agent > Allowed > Encryption at Rest > Level - AWS > Bedrock > Agent > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > Bedrock > Agent > Allowed > Region - AWS > Bedrock > Agent > Allowed > Region > Regions - AWS > Bedrock > Allowed Regions [Default] - AWS > Bedrock > Custom Model > Allowed - AWS > Bedrock > Custom Model > Allowed > Custom - AWS > Bedrock > Custom Model > Allowed > Custom > Rules - AWS > Bedrock > Custom Model > Allowed > Region - AWS > Bedrock > Custom Model > Allowed > Region > Regions - AWS > Bedrock > Imported Model > Allowed - AWS > Bedrock > Imported Model > Allowed > Custom - AWS > Bedrock > Imported Model > Allowed > Custom > Rules - AWS > Bedrock > Imported Model > Allowed > Region - AWS > Bedrock > Imported Model > Allowed > Region > Regions - AWS > Bedrock > Knowledge Base > Allowed - AWS > Bedrock > Knowledge Base > Allowed > Custom - AWS > Bedrock > Knowledge Base > Allowed > Custom > Rules - AWS > Bedrock > Knowledge Base > Allowed > Region - AWS > Bedrock > Knowledge Base > Allowed > Region > Regions

aws-apigateway v5.15.0 - Track and manage VPC link resources in Guardrails

Tue, 06 Jan 2026 09:00:00 GMT

_Resource Types_ - AWS > API Gateway > VPC Link _Control Types_ - AWS > API Gateway > VPC Link > Active - AWS > API Gateway > VPC Link > Allowed - AWS > API Gateway > VPC Link > Allowed > Custom - AWS > API Gateway > VPC Link > Allowed > Region - AWS > API Gateway > VPC Link > CMDB - AWS > API Gateway > VPC Link > Discovery - AWS > API Gateway > VPC Link > Tags _Policy Types_ - AWS > API Gateway > VPC Link > Active - AWS > API Gateway > VPC Link > Active > Age - AWS > API Gateway > VPC Link > Active > Last Modified - AWS > API Gateway > VPC Link > Allowed - AWS > API Gateway > VPC Link > Allowed > Custom - AWS > API Gateway > VPC Link > Allowed > Custom > Rules - AWS > API Gateway > VPC Link > Allowed > Region - AWS > API Gateway > VPC Link > Allowed > Region > Regions - AWS > API Gateway > VPC Link > CMDB - AWS > API Gateway > VPC Link > Regions - AWS > API Gateway > VPC Link > Tags - AWS > API Gateway > VPC Link > Tags > Template _Action Types_ - AWS > API Gateway > VPC Link > Delete - AWS > API Gateway > VPC Link > Delete from AWS - AWS > API Gateway > VPC Link > Router - AWS > API Gateway > VPC Link > Set Tags - AWS > API Gateway > VPC Link > Skip alarm for Active control - AWS > API Gateway > VPC Link > Skip alarm for Active control [90 days] - AWS > API Gateway > VPC Link > Skip alarm for Tags control - AWS > API Gateway > VPC Link > Skip alarm for Tags control [90 days] - AWS > API Gateway > VPC Link > Update Tags

aws-wafregional v5.7.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > WAF Regional > Rule > Allowed - AWS > WAF Regional > Rule > Allowed > Custom - AWS > WAF Regional > Rule > Allowed > Region _Policy Types_ - AWS > WAF Regional > Allowed Regions [Default] - AWS > WAF Regional > Rule > Allowed - AWS > WAF Regional > Rule > Allowed > Custom - AWS > WAF Regional > Rule > Allowed > Custom > Rules - AWS > WAF Regional > Rule > Allowed > Region - AWS > WAF Regional > Rule > Allowed > Region > Regions

aws-s3 v5.34.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > S3 > Bucket > Allowed - AWS > S3 > Bucket > Allowed > Custom - AWS > S3 > Bucket > Allowed > Region _Policy Types_ - AWS > S3 > Allowed Regions [Default] - AWS > S3 > Bucket > Allowed - AWS > S3 > Bucket > Allowed > Custom - AWS > S3 > Bucket > Allowed > Custom > Rules - AWS > S3 > Bucket > Allowed > Region - AWS > S3 > Bucket > Allowed > Region > Regions

aws-opensearch v5.4.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > OpenSearch > Domain > Allowed - AWS > OpenSearch > Domain > Allowed > Custom - AWS > OpenSearch > Domain > Allowed > Region _Policy Types_ - AWS > OpenSearch > Allowed Regions [Default] - AWS > OpenSearch > Domain > Allowed - AWS > OpenSearch > Domain > Allowed > Custom - AWS > OpenSearch > Domain > Allowed > Custom > Rules - AWS > OpenSearch > Domain > Allowed > Region - AWS > OpenSearch > Domain > Allowed > Region > Regions

aws-fsx v5.6.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > FSx > Backup > Allowed - AWS > FSx > Backup > Allowed > Custom - AWS > FSx > Backup > Allowed > Region - AWS > FSx > File System > Allowed - AWS > FSx > File System > Allowed > Custom - AWS > FSx > File System > Allowed > Region _Policy Types_ - AWS > FSx > Allowed Regions [Default] - AWS > FSx > Backup > Allowed - AWS > FSx > Backup > Allowed > Custom - AWS > FSx > Backup > Allowed > Custom > Rules - AWS > FSx > Backup > Allowed > Region - AWS > FSx > Backup > Allowed > Region > Regions - AWS > FSx > File System > Allowed - AWS > FSx > File System > Allowed > Custom - AWS > FSx > File System > Allowed > Custom > Rules - AWS > FSx > File System > Allowed > Region - AWS > FSx > File System > Allowed > Region > Regions

aws-elasticache v5.13.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > ElastiCache > Cache Cluster > Allowed - AWS > ElastiCache > Cache Cluster > Allowed > Custom - AWS > ElastiCache > Cache Cluster > Allowed > Engines - AWS > ElastiCache > Cache Cluster > Allowed > Region - AWS > ElastiCache > Cache Parameter Group > Allowed - AWS > ElastiCache > Cache Parameter Group > Allowed > Custom - AWS > ElastiCache > Cache Parameter Group > Allowed > Region - AWS > ElastiCache > Replication Group > Allowed - AWS > ElastiCache > Replication Group > Allowed > Custom - AWS > ElastiCache > Replication Group > Allowed > Region - AWS > ElastiCache > Snapshot > Allowed - AWS > ElastiCache > Snapshot > Allowed > Custom - AWS > ElastiCache > Snapshot > Allowed > Region _Policy Types_ - AWS > ElastiCache > Allowed Regions [Default] - AWS > ElastiCache > Cache Cluster > Allowed - AWS > ElastiCache > Cache Cluster > Allowed > Custom - AWS > ElastiCache > Cache Cluster > Allowed > Custom > Rules - AWS > ElastiCache > Cache Cluster > Allowed > Engines - AWS > ElastiCache > Cache Cluster > Allowed > Engines > Engines - AWS > ElastiCache > Cache Cluster > Allowed > Region - AWS > ElastiCache > Cache Cluster > Allowed > Region > Regions - AWS > ElastiCache > Cache Parameter Group > Allowed - AWS > ElastiCache > Cache Parameter Group > Allowed > Custom - AWS > ElastiCache > Cache Parameter Group > Allowed > Custom > Rules - AWS > ElastiCache > Cache Parameter Group > Allowed > Region - AWS > ElastiCache > Cache Parameter Group > Allowed > Region > Regions - AWS > ElastiCache > Replication Group > Allowed - AWS > ElastiCache > Replication Group > Allowed > Custom - AWS > ElastiCache > Replication Group > Allowed > Custom > Rules - AWS > ElastiCache > Replication Group > Allowed > Region - AWS > ElastiCache > Replication Group > Allowed > Region > Regions - AWS > ElastiCache > Snapshot > Allowed - AWS > ElastiCache > Snapshot > Allowed > Custom - AWS > ElastiCache > Snapshot > Allowed > Custom > Rules - AWS > ElastiCache > Snapshot > Allowed > Region - AWS > ElastiCache > Snapshot > Allowed > Region > Regions

aws-efs v5.12.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > EFS > FileSystem > Allowed - AWS > EFS > FileSystem > Allowed > Custom - AWS > EFS > FileSystem > Allowed > Encryption at Rest - AWS > EFS > FileSystem > Allowed > Region - AWS > EFS > Mount Target > Allowed - AWS > EFS > Mount Target > Allowed > Custom - AWS > EFS > Mount Target > Allowed > Region _Policy Types_ - AWS > EFS > Allowed Regions [Default] - AWS > EFS > FileSystem > Allowed - AWS > EFS > FileSystem > Allowed > Custom - AWS > EFS > FileSystem > Allowed > Custom > Rules - AWS > EFS > FileSystem > Allowed > Encryption at Rest - AWS > EFS > FileSystem > Allowed > Encryption at Rest > Level - AWS > EFS > FileSystem > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > EFS > FileSystem > Allowed > Region - AWS > EFS > FileSystem > Allowed > Region > Regions - AWS > EFS > Mount Target > Allowed - AWS > EFS > Mount Target > Allowed > Custom - AWS > EFS > Mount Target > Allowed > Custom > Rules - AWS > EFS > Mount Target > Allowed > Region - AWS > EFS > Mount Target > Allowed > Region > Regions

aws-ecs v5.11.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > ECS > Cluster > Allowed - AWS > ECS > Cluster > Allowed > Custom - AWS > ECS > Cluster > Allowed > Region - AWS > ECS > Container Instance > Allowed - AWS > ECS > Container Instance > Allowed > Custom - AWS > ECS > Container Instance > Allowed > Region - AWS > ECS > Service > Allowed - AWS > ECS > Service > Allowed > Custom - AWS > ECS > Service > Allowed > Region - AWS > ECS > Task Definition > Allowed - AWS > ECS > Task Definition > Allowed > Custom - AWS > ECS > Task Definition > Allowed > Region _Policy Types_ - AWS > ECS > Allowed Regions [Default] - AWS > ECS > Cluster > Allowed - AWS > ECS > Cluster > Allowed > Custom - AWS > ECS > Cluster > Allowed > Custom > Rules - AWS > ECS > Cluster > Allowed > Region - AWS > ECS > Cluster > Allowed > Region > Regions - AWS > ECS > Container Instance > Allowed - AWS > ECS > Container Instance > Allowed > Custom - AWS > ECS > Container Instance > Allowed > Custom > Rules - AWS > ECS > Container Instance > Allowed > Region - AWS > ECS > Container Instance > Allowed > Region > Regions - AWS > ECS > Service > Allowed - AWS > ECS > Service > Allowed > Custom - AWS > ECS > Service > Allowed > Custom > Rules - AWS > ECS > Service > Allowed > Region - AWS > ECS > Service > Allowed > Region > Regions - AWS > ECS > Task Definition > Allowed - AWS > ECS > Task Definition > Allowed > Custom - AWS > ECS > Task Definition > Allowed > Custom > Rules - AWS > ECS > Task Definition > Allowed > Region - AWS > ECS > Task Definition > Allowed > Region > Regions

aws-ecr v5.16.0 - Identify and remove unallowed resources from CMDB

Mon, 05 Jan 2026 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > ECR > Image > Allowed - AWS > ECR > Image > Allowed > Custom - AWS > ECR > Image > Allowed > Region - AWS > ECR > Public Repository > Allowed - AWS > ECR > Public Repository > Allowed > Custom - AWS > ECR > Repository > Allowed - AWS > ECR > Repository > Allowed > Custom - AWS > ECR > Repository > Allowed > Encryption at Rest - AWS > ECR > Repository > Allowed > Region _Policy Types_ - AWS > ECR > Allowed Regions [Default] - AWS > ECR > Image > Allowed - AWS > ECR > Image > Allowed > Custom - AWS > ECR > Image > Allowed > Custom > Rules - AWS > ECR > Image > Allowed > Region - AWS > ECR > Image > Allowed > Region > Regions - AWS > ECR > Public Repository > Allowed - AWS > ECR > Public Repository > Allowed > Custom - AWS > ECR > Public Repository > Allowed > Custom > Rules - AWS > ECR > Repository > Allowed - AWS > ECR > Repository > Allowed > Custom - AWS > ECR > Repository > Allowed > Custom > Rules - AWS > ECR > Repository > Allowed > Encryption at Rest - AWS > ECR > Repository > Allowed > Encryption at Rest > Level - AWS > ECR > Repository > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > ECR > Repository > Allowed > Region - AWS > ECR > Repository > Allowed > Region > Regions

azure-network v5.28.0 - Track and manage NAT Gateway resources in Guardrails

Wed, 24 Dec 2025 09:00:00 GMT

_Resource Types_ - Azure > Network > NAT Gateway _Control Types_ - Azure > Network > NAT Gateway > Active - Azure > Network > NAT Gateway > Allowed - Azure > Network > NAT Gateway > Allowed > Custom - Azure > Network > NAT Gateway > Allowed > Region - Azure > Network > NAT Gateway > CMDB - Azure > Network > NAT Gateway > Discovery - Azure > Network > NAT Gateway > Tags _Policy Types_ - Azure > Network > NAT Gateway > Active - Azure > Network > NAT Gateway > Active > Age - Azure > Network > NAT Gateway > Active > Last Modified - Azure > Network > NAT Gateway > Allowed - Azure > Network > NAT Gateway > Allowed > Custom - Azure > Network > NAT Gateway > Allowed > Custom > Rules - Azure > Network > NAT Gateway > Allowed > Region - Azure > Network > NAT Gateway > Allowed > Region > Regions - Azure > Network > NAT Gateway > CMDB - Azure > Network > NAT Gateway > Regions - Azure > Network > NAT Gateway > Tags - Azure > Network > NAT Gateway > Tags > Template _Action Types_ - Azure > Network > NAT Gateway > Delete - Azure > Network > NAT Gateway > Router - Azure > Network > NAT Gateway > Set Tags

aws-ec2 v5.50.0 - Improve AMI lineage discovery using native AWS API

Tue, 23 Dec 2025 09:00:00 GMT

_What's new?_ - The `AWS > EC2 > AMI > CMDB` control now uses AWS's native `GetImageAncestry` API to track AMI lineage. This provides complete ancestry information beyond the previous three-level limitation, offering improved accuracy and visibility into AMI lineage across accounts and regions. The previous manual parent AMI hierarchy tracking (limited to parent, grandparent, and great-grandparent) has been replaced with this more comprehensive API-based approach.

aws-cisv3-0 v5.0.7 - Controls now correctly resolve to Skipped state when dependent CMDB controls are Skipped or TBD

Tue, 23 Dec 2025 09:00:00 GMT

_Bug fixes_ - Fixed an issue where controls could incorrectly enter an Invalid or TBD state when dependent CMDB controls were Skipped or TBD, even when the corresponding policies were set to Skip. Controls now correctly resolve to a Skipped state in these scenarios.

aws-sqs v5.20.0 - Identify and remove unallowed resources from CMDB

Mon, 22 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > SQS > Queue > Allowed - AWS > SQS > Queue > Allowed > Custom - AWS > SQS > Queue > Allowed > Region _Policy Types_ - AWS > SQS > Allowed Regions [Default] - AWS > SQS > Queue > Allowed - AWS > SQS > Queue > Allowed > Custom - AWS > SQS > Queue > Allowed > Custom > Rules - AWS > SQS > Queue > Allowed > Region - AWS > SQS > Queue > Allowed > Region > Regions

aws-sns v5.20.0 - Identify and remove unallowed resources from CMDB

Mon, 22 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > SNS > Subscription > Allowed - AWS > SNS > Subscription > Allowed > Custom - AWS > SNS > Subscription > Allowed > Region - AWS > SNS > Topic > Allowed - AWS > SNS > Topic > Allowed > Custom - AWS > SNS > Topic > Allowed > Region _Policy Types_ - AWS > SNS > Allowed Regions [Default] - AWS > SNS > Subscription > Allowed - AWS > SNS > Subscription > Allowed > Custom - AWS > SNS > Subscription > Allowed > Custom > Rules - AWS > SNS > Subscription > Allowed > Region - AWS > SNS > Subscription > Allowed > Region > Regions - AWS > SNS > Topic > Allowed - AWS > SNS > Topic > Allowed > Custom - AWS > SNS > Topic > Allowed > Custom > Rules - AWS > SNS > Topic > Allowed > Region - AWS > SNS > Topic > Allowed > Region > Regions

aws v5.42.0 - Track and Manage Organization Policies in CMDB

Fri, 19 Dec 2025 09:00:00 GMT

_What's new?_ - You can now track and manage AWS Organizations policies in CMDB, including AI Services Opt-Out Policy, Backup Policy, Chatbot Policy, Declarative Policy EC2, Resource Control Policy, Service Control Policy, and Tag Policy. - Account CMDB data now includes details about account regions, effective organization policies, and attached organization policies. _Resource Types_ - AWS > Organizations - AWS > Organizations > AI Services Opt-Out Policy - AWS > Organizations > Backup Policy - AWS > Organizations > Chatbot Policy - AWS > Organizations > Declarative Policy EC2 - AWS > Organizations > Resource Control Policy - AWS > Organizations > Service Control Policy - AWS > Organizations > Tag Policy _Policy Types_ - AWS > Organization > Discovery Level - AWS > Organizations > AI Services Opt-Out Policy > CMDB - AWS > Organizations > Backup Policy > CMDB - AWS > Organizations > Chatbot Policy > CMDB - AWS > Organizations > Declarative Policy EC2 > CMDB - AWS > Organizations > Resource Control Policy > CMDB - AWS > Organizations > Service Control Policy > CMDB - AWS > Organizations > Tag Policy > CMDB _Control Types_ - AWS > Organizations > AI Services Opt-Out Policy > CMDB - AWS > Organizations > AI Services Opt-Out Policy > Discovery - AWS > Organizations > Backup Policy > CMDB - AWS > Organizations > Backup Policy > Discovery - AWS > Organizations > Chatbot Policy > CMDB - AWS > Organizations > Chatbot Policy > Discovery - AWS > Organizations > Declarative Policy EC2 > CMDB - AWS > Organizations > Declarative Policy EC2 > Discovery - AWS > Organizations > Resource Control Policy > CMDB - AWS > Organizations > Resource Control Policy > Discovery - AWS > Organizations > Service Control Policy > CMDB - AWS > Organizations > Service Control Policy > Discovery - AWS > Organizations > Tag Policy > CMDB - AWS > Organizations > Tag Policy > Discovery _Action Types_ - AWS > Organizations > AI Services Opt-Out Policy > Router - AWS > Organizations > Backup Policy > Router - AWS > Organizations > Chatbot Policy > Router - AWS > Organizations > Declarative Policy EC2 > Router - AWS > Organizations > Resource Control Policy > Router - AWS > Organizations > Service Control Policy > Router - AWS > Organizations > Tag Policy > Router

aws-organizations v5.7.0 - Organizations service resource type is now deprecated

Fri, 19 Dec 2025 09:00:00 GMT

_What's new?_ - Deprecated the `AWS > Organizations` service resource type to help differentiate it from the latest `AWS > Organizations` resource type in the `aws` mod. _Resource Types_ _Renamed_ - AWS > Organizations to AWS > Organizations [Deprecated] - AWS > Organizations > Organization to AWS > Organizations [Deprecated] > Organization - AWS > Organizations > Organization Root to AWS > Organizations [Deprecated] > Organization Root - AWS > Organizations > Organizational Account to AWS > Organizations [Deprecated] > Organizational Account - AWS > Organizations > Organizational Unit to AWS > Organizations [Deprecated] > Organizational Unit _Control Types_ _Renamed_ - AWS > Organizations > Organization > CMDB to AWS > Organizations [Deprecated] > Organization > CMDB - AWS > Organizations > Organization > Discovery to AWS > Organizations [Deprecated] > Organization > Discovery - AWS > Organizations > Organization > Intelligent Assessment to AWS > Organizations [Deprecated] > Organization > Intelligent Assessment - AWS > Organizations > Organization Root > Active to AWS > Organizations [Deprecated] > Organization Root > Active - AWS > Organizations > Organization Root > Approved to AWS > Organizations [Deprecated] > Organization Root > Approved - AWS > Organizations > Organization Root > CMDB to AWS > Organizations [Deprecated] > Organization Root > CMDB - AWS > Organizations > Organization Root > Discovery to AWS > Organizations [Deprecated] > Organization Root > Discovery - AWS > Organizations > Organization Root > Intelligent Assessment to AWS > Organizations [Deprecated] > Organization Root > Intelligent Assessment - AWS > Organizations > Organizational Account > Active to AWS > Organizations [Deprecated] > Organizational Account > Active - AWS > Organizations > Organizational Account > Approved to AWS > Organizations [Deprecated] > Organizational Account > Approved - AWS > Organizations > Organizational Account > CMDB to AWS > Organizations [Deprecated] > Organizational Account > CMDB - AWS > Organizations > Organizational Account > Discovery to AWS > Organizations [Deprecated] > Organizational Account > Discovery - AWS > Organizations > Organizational Account > Intelligent Assessment to AWS > Organizations [Deprecated] > Organizational Account > Intelligent Assessment - AWS > Organizations > Organizational Unit > CMDB to AWS > Organizations [Deprecated] > Organizational Unit > CMDB - AWS > Organizations > Organizational Unit > Discovery to AWS > Organizations [Deprecated] > Organizational Unit > Discovery - AWS > Organizations > Organizational Unit > Intelligent Assessment to AWS > Organizations [Deprecated] > Organizational Unit > Intelligent Assessment _Policy Types_ _Renamed_ - AWS > Organizations > API Enabled to AWS > Organizations [Deprecated] > API Enabled - AWS > Organizations > Enabled to AWS > Organizations [Deprecated] > Enabled - AWS > Organizations > Organization > CMDB to AWS > Organizations [Deprecated] > Organization > CMDB - AWS > Organizations > Organization > Intelligent Assessment to AWS > Organizations [Deprecated] > Organization > Intelligent Assessment - AWS > Organizations > Organization > Intelligent Assessment > Context to AWS > Organizations [Deprecated] > Organization > Intelligent Assessment > Context - AWS > Organizations > Organization > Intelligent Assessment > User Prompt to AWS > Organizations [Deprecated] > Organization > Intelligent Assessment > User Prompt - AWS > Organizations > Organization Root > Active to AWS > Organizations [Deprecated] > Organization Root > Active - AWS > Organizations > Organization Root > Active > Age to AWS > Organizations [Deprecated] > Organization Root > Active > Age - AWS > Organizations > Organization Root > Active > Last Modified to AWS > Organizations [Deprecated] > Organization Root > Active > Last Modified - AWS > Organizations > Organization Root > Approved to AWS > Organizations [Deprecated] > Organization Root > Approved - AWS > Organizations > Organization Root > Approved > Custom to AWS > Organizations [Deprecated] > Organization Root > Approved > Custom - AWS > Organizations > Organization Root > Approved > Usage to AWS > Organizations [Deprecated] > Organization Root > Approved > Usage - AWS > Organizations > Organization Root > CMDB to AWS > Organizations [Deprecated] > Organization Root > CMDB - AWS > Organizations > Organization Root > Intelligent Assessment to AWS > Organizations [Deprecated] > Organization Root > Intelligent Assessment - AWS > Organizations > Organization Root > Intelligent Assessment > Context to AWS > Organizations [Deprecated] > Organization Root > Intelligent Assessment > Context - AWS > Organizations > Organization Root > Intelligent Assessment > User Prompt to AWS > Organizations [Deprecated] > Organization Root > Intelligent Assessment > User Prompt - AWS > Organizations > Organizational Account > Active to AWS > Organizations [Deprecated] > Organizational Account > Active - AWS > Organizations > Organizational Account > Active > Age to AWS > Organizations [Deprecated] > Organizational Account > Active > Age - AWS > Organizations > Organizational Account > Active > Last Modified to AWS > Organizations [Deprecated] > Organizational Account > Active > Last Modified - AWS > Organizations > Organizational Account > Approved to AWS > Organizations [Deprecated] > Organizational Account > Approved - AWS > Organizations > Organizational Account > Approved > Custom to AWS > Organizations [Deprecated] > Organizational Account > Approved > Custom - AWS > Organizations > Organizational Account > Approved > Usage to AWS > Organizations [Deprecated] > Organizational Account > Approved > Usage - AWS > Organizations > Organizational Account > CMDB to AWS > Organizations [Deprecated] > Organizational Account > CMDB - AWS > Organizations > Organizational Account > Intelligent Assessment to AWS > Organizations [Deprecated] > Organizational Account > Intelligent Assessment - AWS > Organizations > Organizational Account > Intelligent Assessment > Context to AWS > Organizations [Deprecated] > Organizational Account > Intelligent Assessment > Context - AWS > Organizations > Organizational Account > Intelligent Assessment > User Prompt to AWS > Organizations [Deprecated] > Organizational Account > Intelligent Assessment > User Prompt - AWS > Organizations > Organizational Unit > CMDB to AWS > Organizations [Deprecated] > Organizational Unit > CMDB - AWS > Organizations > Organizational Unit > Intelligent Assessment to AWS > Organizations [Deprecated] > Organizational Unit > Intelligent Assessment - AWS > Organizations > Organizational Unit > Intelligent Assessment > Context to AWS > Organizations [Deprecated] > Organizational Unit > Intelligent Assessment > Context - AWS > Organizations > Organizational Unit > Intelligent Assessment > User Prompt to AWS > Organizations [Deprecated] > Organizational Unit > Intelligent Assessment > User Prompt - AWS > Organizations > Permissions to AWS > Organizations [Deprecated] > Permissions - AWS > Organizations > Permissions > Levels to AWS > Organizations [Deprecated] > Permissions > Levels - AWS > Organizations > Permissions > Levels > Modifiers to AWS > Organizations [Deprecated] > Permissions > Levels > Modifiers - AWS > Organizations > Permissions > Lockdown to AWS > Organizations [Deprecated] > Permissions > Lockdown - AWS > Organizations > Permissions > Lockdown > API Boundary to AWS > Organizations [Deprecated] > Permissions > Lockdown > API Boundary _Action Types_ _Renamed_ - AWS > Organizations > Organization Root > Router to AWS > Organizations [Deprecated] > Organization Root > Router - AWS > Organizations > Organization Root > Skip alarm for Active control to AWS > Organizations [Deprecated] > Organization Root > Skip alarm for Active control - AWS > Organizations > Organization Root > Skip alarm for Active control [90 days] to AWS > Organizations [Deprecated] > Organization Root > Skip alarm for Active control [90 days] - AWS > Organizations > Organization Root > Skip alarm for Approved control to AWS > Organizations [Deprecated] > Organization Root > Skip alarm for Approved control - AWS > Organizations > Organization Root > Skip alarm for Approved control [90 days] to AWS > Organizations [Deprecated] > Organization Root > Skip alarm for Approved control [90 days] - AWS > Organizations > Organizational Account > Router to AWS > Organizations [Deprecated] > Organizational Account > Router - AWS > Organizations > Organizational Account > Skip alarm for Active control to AWS > Organizations [Deprecated] > Organizational Account > Skip alarm for Active control - AWS > Organizations > Organizational Account > Skip alarm for Active control [90 days] to AWS > Organizations [Deprecated] > Organizational Account > Skip alarm for Active control [90 days] - AWS > Organizations > Organizational Account > Skip alarm for Approved control to AWS > Organizations [Deprecated] > Organizational Account > Skip alarm for Approved control - AWS > Organizations > Organizational Account > Skip alarm for Approved control [90 days] to AWS > Organizations [Deprecated] > Organizational Account > Skip alarm for Approved control [90 days] - AWS > Organizations > Organizational Unit > Router to AWS > Organizations [Deprecated] > Organizational Unit > Router

aws-msk v5.7.0 - Identify and remove unallowed resources from CMDB

Fri, 19 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > MSK > Cluster > Allowed - AWS > MSK > Cluster > Allowed > Custom - AWS > MSK > Cluster > Allowed > Instance Type - AWS > MSK > Cluster > Allowed > Region _Policy Types_ - AWS > MSK > Allowed Regions [Default] - AWS > MSK > Cluster > Allowed - AWS > MSK > Cluster > Allowed > Custom - AWS > MSK > Cluster > Allowed > Custom > Rules - AWS > MSK > Cluster > Allowed > Instance Type - AWS > MSK > Cluster > Allowed > Instance Type > Instance Types - AWS > MSK > Cluster > Allowed > Region - AWS > MSK > Cluster > Allowed > Region > Regions

aws-events v5.17.0 - Identify and remove unallowed resources from CMDB

Fri, 19 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Events > Event Bus > Allowed - AWS > Events > Event Bus > Allowed > Custom - AWS > Events > Event Bus > Allowed > Region - AWS > Events > Rule > Allowed - AWS > Events > Rule > Allowed > Custom - AWS > Events > Rule > Allowed > Region - AWS > Events > Target > Allowed - AWS > Events > Target > Allowed > Custom - AWS > Events > Target > Allowed > Region _Policy Types_ - AWS > Events > Allowed Regions [Default] - AWS > Events > Event Bus > Allowed - AWS > Events > Event Bus > Allowed > Custom - AWS > Events > Event Bus > Allowed > Custom > Rules - AWS > Events > Event Bus > Allowed > Region - AWS > Events > Event Bus > Allowed > Region > Regions - AWS > Events > Rule > Allowed - AWS > Events > Rule > Allowed > Custom - AWS > Events > Rule > Allowed > Custom > Rules - AWS > Events > Rule > Allowed > Region - AWS > Events > Rule > Allowed > Region > Regions - AWS > Events > Target > Allowed - AWS > Events > Target > Allowed > Custom - AWS > Events > Target > Allowed > Custom > Rules - AWS > Events > Target > Allowed > Region - AWS > Events > Target > Allowed > Region > Regions

aws-apigateway v5.14.0 - Identify and remove unallowed resources from CMDB

Fri, 19 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > API Gateway > API > Allowed - AWS > API Gateway > API > Allowed > Custom - AWS > API Gateway > API > Allowed > Region - AWS > API Gateway > API Key > Allowed - AWS > API Gateway > API Key > Allowed > Custom - AWS > API Gateway > API Key > Allowed > Region - AWS > API Gateway > API V2 > Allowed - AWS > API Gateway > API V2 > Allowed > Custom - AWS > API Gateway > API V2 > Allowed > Region - AWS > API Gateway > Authorizer > Allowed - AWS > API Gateway > Authorizer > Allowed > Custom - AWS > API Gateway > Authorizer > Allowed > Region - AWS > API Gateway > Authorizer V2 > Allowed - AWS > API Gateway > Authorizer V2 > Allowed > Custom - AWS > API Gateway > Authorizer V2 > Allowed > Region - AWS > API Gateway > Domain Name V2 > Allowed - AWS > API Gateway > Domain Name V2 > Allowed > Custom - AWS > API Gateway > Domain Name V2 > Allowed > Region - AWS > API Gateway > Integration V2 > Allowed - AWS > API Gateway > Integration V2 > Allowed > Custom - AWS > API Gateway > Integration V2 > Allowed > Region - AWS > API Gateway > Resource > Allowed - AWS > API Gateway > Resource > Allowed > Custom - AWS > API Gateway > Resource > Allowed > Region - AWS > API Gateway > Stage > Allowed - AWS > API Gateway > Stage > Allowed > Custom - AWS > API Gateway > Stage > Allowed > Region - AWS > API Gateway > Stage v2 > Allowed - AWS > API Gateway > Stage v2 > Allowed > Custom - AWS > API Gateway > Stage v2 > Allowed > Region - AWS > API Gateway > Usage Plan > Allowed - AWS > API Gateway > Usage Plan > Allowed > Custom - AWS > API Gateway > Usage Plan > Allowed > Region _Policy Types_ - AWS > API Gateway > API > Allowed - AWS > API Gateway > API > Allowed > Custom - AWS > API Gateway > API > Allowed > Custom > Rules - AWS > API Gateway > API > Allowed > Region - AWS > API Gateway > API > Allowed > Region > Regions - AWS > API Gateway > API Key > Allowed - AWS > API Gateway > API Key > Allowed > Custom - AWS > API Gateway > API Key > Allowed > Custom > Rules - AWS > API Gateway > API Key > Allowed > Region - AWS > API Gateway > API Key > Allowed > Region > Regions - AWS > API Gateway > API V2 > Allowed - AWS > API Gateway > API V2 > Allowed > Custom - AWS > API Gateway > API V2 > Allowed > Custom > Rules - AWS > API Gateway > API V2 > Allowed > Region - AWS > API Gateway > API V2 > Allowed > Region > Regions - AWS > API Gateway > Allowed Regions [Default] - AWS > API Gateway > Authorizer > Allowed - AWS > API Gateway > Authorizer > Allowed > Custom - AWS > API Gateway > Authorizer > Allowed > Custom > Rules - AWS > API Gateway > Authorizer > Allowed > Region - AWS > API Gateway > Authorizer > Allowed > Region > Regions - AWS > API Gateway > Authorizer V2 > Allowed - AWS > API Gateway > Authorizer V2 > Allowed > Custom - AWS > API Gateway > Authorizer V2 > Allowed > Custom > Rules - AWS > API Gateway > Authorizer V2 > Allowed > Region - AWS > API Gateway > Authorizer V2 > Allowed > Region > Regions - AWS > API Gateway > Domain Name V2 > Allowed - AWS > API Gateway > Domain Name V2 > Allowed > Custom - AWS > API Gateway > Domain Name V2 > Allowed > Custom > Rules - AWS > API Gateway > Domain Name V2 > Allowed > Region - AWS > API Gateway > Domain Name V2 > Allowed > Region > Regions - AWS > API Gateway > Integration V2 > Allowed - AWS > API Gateway > Integration V2 > Allowed > Custom - AWS > API Gateway > Integration V2 > Allowed > Custom > Rules - AWS > API Gateway > Integration V2 > Allowed > Region - AWS > API Gateway > Integration V2 > Allowed > Region > Regions - AWS > API Gateway > Resource > Allowed - AWS > API Gateway > Resource > Allowed > Custom - AWS > API Gateway > Resource > Allowed > Custom > Rules - AWS > API Gateway > Resource > Allowed > Region - AWS > API Gateway > Resource > Allowed > Region > Regions - AWS > API Gateway > Stage > Allowed - AWS > API Gateway > Stage > Allowed > Custom - AWS > API Gateway > Stage > Allowed > Custom > Rules - AWS > API Gateway > Stage > Allowed > Region - AWS > API Gateway > Stage > Allowed > Region > Regions - AWS > API Gateway > Stage v2 > Allowed - AWS > API Gateway > Stage v2 > Allowed > Custom - AWS > API Gateway > Stage v2 > Allowed > Custom > Rules - AWS > API Gateway > Stage v2 > Allowed > Region - AWS > API Gateway > Stage v2 > Allowed > Region > Regions - AWS > API Gateway > Usage Plan > Allowed - AWS > API Gateway > Usage Plan > Allowed > Custom - AWS > API Gateway > Usage Plan > Allowed > Custom > Rules - AWS > API Gateway > Usage Plan > Allowed > Region - AWS > API Gateway > Usage Plan > Allowed > Region > Regions

aws-s3 v5.33.2 - Real-time tagging events for buckets will now be processed correctly

Thu, 18 Dec 2025 09:00:00 GMT

_Bug fixes_ - Real-time tagging events for `AWS > S3 > Bucket` were not being processed correctly. This is now fixed.

aws-route53resolver v5.7.0 - Identify and remove unallowed resources from CMDB

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Route 53 Resolver > Resolver Endpoint > Allowed - AWS > Route 53 Resolver > Resolver Endpoint > Allowed > Custom - AWS > Route 53 Resolver > Resolver Endpoint > Allowed > Region - AWS > Route 53 Resolver > Resolver Rule > Allowed - AWS > Route 53 Resolver > Resolver Rule > Allowed > Custom - AWS > Route 53 Resolver > Resolver Rule > Allowed > Region _Policy Types_ - AWS > Route 53 Resolver > Allowed Regions [Default] - AWS > Route 53 Resolver > Resolver Endpoint > Allowed - AWS > Route 53 Resolver > Resolver Endpoint > Allowed > Custom - AWS > Route 53 Resolver > Resolver Endpoint > Allowed > Custom > Rules - AWS > Route 53 Resolver > Resolver Endpoint > Allowed > Region - AWS > Route 53 Resolver > Resolver Endpoint > Allowed > Region > Regions - AWS > Route 53 Resolver > Resolver Rule > Allowed - AWS > Route 53 Resolver > Resolver Rule > Allowed > Custom - AWS > Route 53 Resolver > Resolver Rule > Allowed > Custom > Rules - AWS > Route 53 Resolver > Resolver Rule > Allowed > Region - AWS > Route 53 Resolver > Resolver Rule > Allowed > Region > Regions

aws-elasticsearch v5.9.0 - Identify and remove unallowed resources from CMDB

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Elasticsearch > Domain > Allowed - AWS > Elasticsearch > Domain > Allowed > Custom - AWS > Elasticsearch > Domain > Allowed > Encryption at Rest - AWS > Elasticsearch > Domain > Allowed > Region _Policy Types_ - AWS > Elasticsearch > Allowed Regions [Default] - AWS > Elasticsearch > Domain > Allowed - AWS > Elasticsearch > Domain > Allowed > Custom - AWS > Elasticsearch > Domain > Allowed > Custom > Rules - AWS > Elasticsearch > Domain > Allowed > Encryption at Rest - AWS > Elasticsearch > Domain > Allowed > Encryption at Rest > Level - AWS > Elasticsearch > Domain > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > Elasticsearch > Domain > Allowed > Region - AWS > Elasticsearch > Domain > Allowed > Region > Regions

aws-dynamodb v5.18.0 - Identify and remove unallowed resources from CMDB

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > DynamoDB > Backup > Allowed - AWS > DynamoDB > Backup > Allowed > Custom - AWS > DynamoDB > Backup > Allowed > Region - AWS > DynamoDB > Global Table > Allowed - AWS > DynamoDB > Global Table > Allowed > Custom - AWS > DynamoDB > Table > Allowed - AWS > DynamoDB > Table > Allowed > Custom - AWS > DynamoDB > Table > Allowed > Region _Policy Types_ - AWS > DynamoDB > Allowed Regions [Default] - AWS > DynamoDB > Backup > Allowed - AWS > DynamoDB > Backup > Allowed > Custom - AWS > DynamoDB > Backup > Allowed > Custom > Rules - AWS > DynamoDB > Backup > Allowed > Region - AWS > DynamoDB > Backup > Allowed > Region > Regions - AWS > DynamoDB > Global Table > Allowed - AWS > DynamoDB > Global Table > Allowed > Custom - AWS > DynamoDB > Global Table > Allowed > Custom > Rules - AWS > DynamoDB > Table > Allowed - AWS > DynamoDB > Table > Allowed > Custom - AWS > DynamoDB > Table > Allowed > Custom > Rules - AWS > DynamoDB > Table > Allowed > Region - AWS > DynamoDB > Table > Allowed > Region > Regions

aws-controltower v5.0.0 is now available

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > Control Tower - AWS > Control Tower > Enabled Control - AWS > Control Tower > Landing Zone _Control Types_ - AWS > Control Tower > Enabled Control > CMDB - AWS > Control Tower > Enabled Control > Discovery - AWS > Control Tower > Enabled Control > Tags - AWS > Control Tower > Landing Zone > CMDB - AWS > Control Tower > Landing Zone > Discovery _Policy Types_ - AWS > Control Tower > API Enabled - AWS > Control Tower > Allowed Regions [Default] - AWS > Control Tower > Approved Regions [Default] - AWS > Control Tower > Enabled - AWS > Control Tower > Enabled Control > CMDB - AWS > Control Tower > Enabled Control > Regions - AWS > Control Tower > Enabled Control > Tags - AWS > Control Tower > Enabled Control > Tags > Template - AWS > Control Tower > Landing Zone > CMDB - AWS > Control Tower > Landing Zone > Regions - AWS > Control Tower > Permissions - AWS > Control Tower > Permissions > Levels - AWS > Control Tower > Permissions > Levels > Modifiers - AWS > Control Tower > Permissions > Lockdown - AWS > Control Tower > Permissions > Lockdown > API Boundary - AWS > Control Tower > Regions - AWS > Control Tower > Tags Template [Default] - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-controltower - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-controltower - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-controltower - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-controltower _Action Types_ - AWS > Control Tower > Enabled Control > Router - AWS > Control Tower > Enabled Control > Set Tags - AWS > Control Tower > Enabled Control > Skip alarm for Tags control - AWS > Control Tower > Enabled Control > Skip alarm for Tags control [90 days] - AWS > Control Tower > Enabled Control > Update Tags - AWS > Control Tower > Landing Zone > Delete - AWS > Control Tower > Landing Zone > Delete Landing Zone - AWS > Control Tower > Landing Zone > Router

aws-cloudtrail v5.16.0 - Identify and remove unallowed resources from CMDB

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > CloudTrail > Trail > Allowed - AWS > CloudTrail > Trail > Allowed > Custom - AWS > CloudTrail > Trail > Allowed > Region _Policy Types_ - AWS > CloudTrail > Allowed Regions [Default] - AWS > CloudTrail > Trail > Allowed - AWS > CloudTrail > Trail > Allowed > Custom - AWS > CloudTrail > Trail > Allowed > Custom > Rules - AWS > CloudTrail > Trail > Allowed > Region - AWS > CloudTrail > Trail > Allowed > Region > Regions

aws-cloudformation v5.14.0 - Track and manage hook resources in Guardrails

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > CloudFormation > Hook _Control Types_ - AWS > CloudFormation > Hook > Active - AWS > CloudFormation > Hook > Allowed - AWS > CloudFormation > Hook > Allowed > Custom - AWS > CloudFormation > Hook > Allowed > Region - AWS > CloudFormation > Hook > CMDB - AWS > CloudFormation > Hook > Discovery - AWS > CloudFormation > Hook > Usage - AWS > CloudFormation > Stack > Allowed - AWS > CloudFormation > Stack > Allowed > Custom - AWS > CloudFormation > Stack > Allowed > Region - AWS > CloudFormation > StackSet > Allowed - AWS > CloudFormation > StackSet > Allowed > Custom - AWS > CloudFormation > StackSet > Allowed > Region _Policy Types_ - AWS > CloudFormation > Allowed Regions [Default] - AWS > CloudFormation > Hook > Active - AWS > CloudFormation > Hook > Active > Age - AWS > CloudFormation > Hook > Active > Last Modified - AWS > CloudFormation > Hook > Allowed - AWS > CloudFormation > Hook > Allowed > Custom - AWS > CloudFormation > Hook > Allowed > Custom > Rules - AWS > CloudFormation > Hook > Allowed > Region - AWS > CloudFormation > Hook > Allowed > Region > Regions - AWS > CloudFormation > Hook > CMDB - AWS > CloudFormation > Hook > Regions - AWS > CloudFormation > Hook > Usage - AWS > CloudFormation > Hook > Usage > Limit - AWS > CloudFormation > Stack > Allowed - AWS > CloudFormation > Stack > Allowed > Custom - AWS > CloudFormation > Stack > Allowed > Custom > Rules - AWS > CloudFormation > Stack > Allowed > Region - AWS > CloudFormation > Stack > Allowed > Region > Regions - AWS > CloudFormation > StackSet > Allowed - AWS > CloudFormation > StackSet > Allowed > Custom - AWS > CloudFormation > StackSet > Allowed > Custom > Rules - AWS > CloudFormation > StackSet > Allowed > Region - AWS > CloudFormation > StackSet > Allowed > Region > Regions _Action Types_ - AWS > CloudFormation > Hook > Delete - AWS > CloudFormation > Hook > Delete from AWS - AWS > CloudFormation > Hook > Router - AWS > CloudFormation > Hook > Skip alarm for Active control - AWS > CloudFormation > Hook > Skip alarm for Active control [90 days]

aws-backup v5.15.0 - Identify and remove unallowed resources from CMDB

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Backup > Backup Plan > Allowed - AWS > Backup > Backup Plan > Allowed > Custom - AWS > Backup > Backup Plan > Allowed > Region - AWS > Backup > Backup Selection > Allowed - AWS > Backup > Backup Selection > Allowed > Custom - AWS > Backup > Backup Selection > Allowed > Region - AWS > Backup > Backup Vault > Allowed - AWS > Backup > Backup Vault > Allowed > Custom - AWS > Backup > Backup Vault > Allowed > Encryption at Rest - AWS > Backup > Backup Vault > Allowed > Region - AWS > Backup > Recovery Point > Allowed - AWS > Backup > Recovery Point > Allowed > Custom - AWS > Backup > Recovery Point > Allowed > Region _Policy Types_ - AWS > Backup > Allowed Regions [Default] - AWS > Backup > Backup Plan > Allowed - AWS > Backup > Backup Plan > Allowed > Custom - AWS > Backup > Backup Plan > Allowed > Custom > Rules - AWS > Backup > Backup Plan > Allowed > Region - AWS > Backup > Backup Plan > Allowed > Region > Regions - AWS > Backup > Backup Selection > Allowed - AWS > Backup > Backup Selection > Allowed > Custom - AWS > Backup > Backup Selection > Allowed > Custom > Rules - AWS > Backup > Backup Selection > Allowed > Region - AWS > Backup > Backup Selection > Allowed > Region > Regions - AWS > Backup > Backup Vault > Allowed - AWS > Backup > Backup Vault > Allowed > Custom - AWS > Backup > Backup Vault > Allowed > Custom > Rules - AWS > Backup > Backup Vault > Allowed > Encryption at Rest - AWS > Backup > Backup Vault > Allowed > Encryption at Rest > Level - AWS > Backup > Backup Vault > Allowed > Encryption at Rest > Level > Customer Managed Key - AWS > Backup > Backup Vault > Allowed > Region - AWS > Backup > Backup Vault > Allowed > Region > Regions - AWS > Backup > Recovery Point > Allowed - AWS > Backup > Recovery Point > Allowed > Custom - AWS > Backup > Recovery Point > Allowed > Custom > Rules - AWS > Backup > Recovery Point > Allowed > Region - AWS > Backup > Recovery Point > Allowed > Region > Regions

Turbot Guardrails CLI v1.30.0 - Added prevention support and improved inspect output

Thu, 18 Dec 2025 09:00:00 GMT

_What's new?_ - `turbot inspect` now supports **prevention types**, including validation for prevention mods. - Improved the `turbot inspect` command with better output formatting and more detailed information display for easier troubleshooting and analysis.

aws-batch v5.9.0 - Identify and remove unallowed resources from CMDB

Tue, 16 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Batch > Compute Environment > Allowed - AWS > Batch > Compute Environment > Allowed > Custom - AWS > Batch > Compute Environment > Allowed > Region - AWS > Batch > Job Definition > Allowed - AWS > Batch > Job Definition > Allowed > Custom - AWS > Batch > Job Definition > Allowed > Region - AWS > Batch > Job Queue > Allowed - AWS > Batch > Job Queue > Allowed > Custom - AWS > Batch > Job Queue > Allowed > Region _Policy Types_ - AWS > Batch > Allowed Regions [Default] - AWS > Batch > Compute Environment > Allowed - AWS > Batch > Compute Environment > Allowed > Custom - AWS > Batch > Compute Environment > Allowed > Custom > Rules - AWS > Batch > Compute Environment > Allowed > Region - AWS > Batch > Compute Environment > Allowed > Region > Regions - AWS > Batch > Job Definition > Allowed - AWS > Batch > Job Definition > Allowed > Custom - AWS > Batch > Job Definition > Allowed > Custom > Rules - AWS > Batch > Job Definition > Allowed > Region - AWS > Batch > Job Definition > Allowed > Region > Regions - AWS > Batch > Job Queue > Allowed - AWS > Batch > Job Queue > Allowed > Custom - AWS > Batch > Job Queue > Allowed > Custom > Rules - AWS > Batch > Job Queue > Allowed > Region - AWS > Batch > Job Queue > Allowed > Region > Regions

aws-acm v5.12.0 - Identify and remove unallowed resources from CMDB

Tue, 16 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > ACM > Certificate > Allowed - AWS > ACM > Certificate > Allowed > Custom - AWS > ACM > Certificate > Allowed > Region _Policy Types_ - AWS > ACM > Allowed Region [Default] - AWS > ACM > Certificate > Allowed - AWS > ACM > Certificate > Allowed > Custom - AWS > ACM > Certificate > Allowed > Custom > Rules - AWS > ACM > Certificate > Allowed > Region - AWS > ACM > Certificate > Allowed > Region > Regions

Turbot Guardrails Enterprise (TE) v5.54.5 - Version bump to align with deployment requirements

Mon, 15 Dec 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.54.5` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.55.0 - Materialization default has changed to Automatic

Fri, 12 Dec 2025 09:00:00 GMT

_What's new?_ In this release, Guardrails changes the default for the `Turbot > Materialization` policy from `Always` to `Automatic`. - **Automatic** (Default) — Create controls and policy values only if a setting is explicitly defined for the primary policy. This can significantly reduce noise and improve performance. - **Always** — Guardrails creates controls and policy values for all applicable resources, even if no setting exists (legacy behavior). To retain the existing behavior (legacy materialization), set the Turbot > Materialization policy to Always before upgrading to 5.55.0. _Requirements_ - Upgrade to `5.55.0` requires your workspace to be on `5.54.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-kms v5.22.0 - Identify and remove unallowed resources from CMDB

Fri, 12 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > KMS > Key > Allowed - AWS > KMS > Key > Allowed > Custom - AWS > KMS > Key > Allowed > Customer Master Key Spec - AWS > KMS > Key > Allowed > Region _Policy Types_ - AWS > KMS > Allowed Regions [Default] - AWS > KMS > Key > Allowed - AWS > KMS > Key > Allowed > Custom - AWS > KMS > Key > Allowed > Custom > Rules - AWS > KMS > Key > Allowed > Customer Master Key Spec - AWS > KMS > Key > Allowed > Customer Master Key Spec > Specs - AWS > KMS > Key > Allowed > Region - AWS > KMS > Key > Allowed > Region > Regions

aws-directconnect v5.8.0 - Identify and remove unallowed resources from CMDB

Fri, 12 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Direct Connect > Connection > Allowed - AWS > Direct Connect > Connection > Allowed > Custom - AWS > Direct Connect > Connection > Allowed > Region - AWS > Direct Connect > Direct Connect Gateway > Allowed - AWS > Direct Connect > Direct Connect Gateway > Allowed > Custom - AWS > Direct Connect > Lag > Allowed - AWS > Direct Connect > Lag > Allowed > Custom - AWS > Direct Connect > Lag > Allowed > Region - AWS > Direct Connect > Virtual Interface > Allowed - AWS > Direct Connect > Virtual Interface > Allowed > Custom - AWS > Direct Connect > Virtual Interface > Allowed > Region _Policy Types_ - AWS > Direct Connect > Allowed Regions [Default] - AWS > Direct Connect > Connection > Allowed - AWS > Direct Connect > Connection > Allowed > Custom - AWS > Direct Connect > Connection > Allowed > Custom > Rules - AWS > Direct Connect > Connection > Allowed > Region - AWS > Direct Connect > Connection > Allowed > Region > Regions - AWS > Direct Connect > Direct Connect Gateway > Allowed - AWS > Direct Connect > Direct Connect Gateway > Allowed > Custom - AWS > Direct Connect > Direct Connect Gateway > Allowed > Custom > Rules - AWS > Direct Connect > Lag > Allowed - AWS > Direct Connect > Lag > Allowed > Custom - AWS > Direct Connect > Lag > Allowed > Custom > Rules - AWS > Direct Connect > Lag > Allowed > Region - AWS > Direct Connect > Lag > Allowed > Region > Regions - AWS > Direct Connect > Virtual Interface > Allowed - AWS > Direct Connect > Virtual Interface > Allowed > Custom - AWS > Direct Connect > Virtual Interface > Allowed > Custom > Rules - AWS > Direct Connect > Virtual Interface > Allowed > Region - AWS > Direct Connect > Virtual Interface > Allowed > Region > Regions

aws-appmesh v5.7.0 - Identify and remove unallowed resources from CMDB

Fri, 12 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > App Mesh > Mesh > Allowed - AWS > App Mesh > Mesh > Allowed > Custom - AWS > App Mesh > Mesh > Allowed > Region _Policy Types_ - AWS > App Mesh > Allowed Regions [Default] - AWS > App Mesh > Mesh > Allowed - AWS > App Mesh > Mesh > Allowed > Custom - AWS > App Mesh > Mesh > Allowed > Custom > Rules - AWS > App Mesh > Mesh > Allowed > Region - AWS > App Mesh > Mesh > Allowed > Region > Regions

aws-amplify v5.7.0 - Identify and remove unallowed resources from CMDB

Fri, 12 Dec 2025 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Amplify > App > Allowed - AWS > Amplify > App > Allowed > Custom - AWS > Amplify > App > Allowed > Region _Policy Types_ - AWS > Amplify > Allowed Regions [Default] - AWS > Amplify > App > Allowed - AWS > Amplify > App > Allowed > Custom - AWS > Amplify > App > Allowed > Custom > Rules - AWS > Amplify > App > Allowed > Region - AWS > Amplify > App > Allowed > Region > Regions

Turbot Guardrails Enterprise (TE) v5.53.11 - Simplified notification handling by removing checks that weren’t needed

Thu, 11 Dec 2025 09:00:00 GMT

_Bug fixes_ - Server - Simplified notification handling by removing checks that weren’t needed. _Requirements_ - Upgrade to `5.53.11` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-quicksight v5.3.0 - Track and manage account settings resources in Guardrails

Thu, 11 Dec 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > QuickSight > Account Settings _Control Types_ - AWS > QuickSight > Account Settings > CMDB - AWS > QuickSight > Account Settings > Discovery _Policy Types_ - AWS > QuickSight > Account Settings > CMDB - AWS > QuickSight > Connection Region - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-quicksight _Action Types_ - AWS > QuickSight > Account Settings > Router Note: We recommend updating the `@turbot/aws` mod to `v5.41.0` for proper functionality.

github v5.5.0 - Fixed SSL certificate validation for GitHub Enterprise Server with self-signed certificates

Wed, 10 Dec 2025 09:00:00 GMT

_What's new?_ - GitHub controls previously failed to connect to the GitHub API when using GitHub Enterprise Server instances with self-signed certificates or internal CAs. The `NODE_TLS_REJECT_UNAUTHORIZED=0` environment variable is now correctly respected.

Turbot Guardrails Enterprise (TE) v5.54.4 - Improved materialization & TLS handling

Tue, 09 Dec 2025 09:00:00 GMT

_What's new?_ - Server - Propagate NODE_TLS_REJECT_UNAUTHORIZED to the GitHub mod Lambdas for VPC deployments that use self-signed certificates. _Bug fixes_ - Server - In Automatic materialization mode, the calculated policy values were coming through as null, but they are now being computed correctly. _Requirements_ - Upgrade to `5.54.4` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws v5.41.0 - Added support to process real-time events for AWS QuickSight

Fri, 05 Dec 2025 09:00:00 GMT

_What's new?_ - The `AWS > Turbot > Event Handlers` now support real-time events for AWS QuickSight. _Bug fixes_ - Fixed an issue where controls related to `AWS > Account > Budget > Target` and `AWS > Account > Budget > State` policy types were entering a TBD state because these policy types remained in an Inactive state even after policy settings were configured.

aws-iam v5.47.1 - Fixed policy mapping in IAM group managed control type

Fri, 28 Nov 2025 09:00:00 GMT

_Bug fixes_ - Fixed policy mapping in `AWS > Turbot > IAM > Group > Managed` control type.

aws-cloudtrail v5.15.0 - CMDB control for shadow trail will no longer transition to an error state when trails are deleted from the management account

Fri, 28 Nov 2025 09:00:00 GMT

_What's new?_ _Action Types_ - AWS > CloudTrail > Shadow Trail > Router _Bug fixes_ - The `AWS > CloudTrail > Shadow Trail > CMDB` control would enter an error state when trails were deleted from the management account. This issue has now been fixed.

Turbot Guardrails Enterprise (TE) v5.53.10 - Version bump to align with deployment requirements

Thu, 27 Nov 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.53.10` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-ec2 v5.49.0 - AMI CMDB control now automatically tracks parent AMI hierarchy

Wed, 26 Nov 2025 09:00:00 GMT

_What's new?_ - The `AWS > EC2 > AMI > CMDB` control now automatically tracks the parent AMI hierarchy for each AMI. Parent lineage details—including AMI ID, creation date, source account ID, and source region—are stored in the parentImageIds metadata array. The system captures up to three levels of ancestry (parent, grandparent, and great-grandparent), providing improved visibility into AMI lineage across accounts and regions.

Turbot Guardrails Enterprise (TE) v5.53.9 - Version bump to align with deployment requirements

Tue, 25 Nov 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.53.9` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-eks v5.9.2 - Fixed control mapping in cluster endpoint access policy and action types

Mon, 24 Nov 2025 09:00:00 GMT

_Bug fixes_ - Fixed control mapping in `AWS > EKS > Cluster > Endpoint Access` policy and action types.

Turbot Guardrails Enterprise (TE) v5.53.8 - Version bump to align with deployment requirements

Thu, 20 Nov 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - Upgrade to `5.53.8` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.54.3 - Improved cleanup of failed DB transactions

Tue, 18 Nov 2025 09:00:00 GMT

_Bug fixes_ - Server - Resolved a problem where notifications weren’t being delivered due to incorrectly handled rule settings. - Improved cleanup of failed DB transactions. _Requirements_ - Upgrade to `5.54.3` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.53.7 - Fix notification failures caused by rule settings

Tue, 18 Nov 2025 09:00:00 GMT

_Bug fixes_ - Server - Resolved a problem where notifications weren’t being delivered due to incorrectly handled rule settings. _Requirements_ - Upgrade to `5.53.7` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails CLI v1.29.1 - Restored graphql notifications subcommand

Fri, 14 Nov 2025 09:00:00 GMT

_Bug Fixes_ - The `graphql notifications` subcommand, which was inadvertently removed in a previous version, has been restored.

Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them for 76 mods

Mon, 03 Nov 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. - servicenow `v5.6.0` - servicenow-aws `v5.6.0` - servicenow-aws-cloudtrail `v5.3.0` - servicenow-aws-cloudwatch `v5.3.0` - servicenow-aws-ec2 `v5.4.0` - servicenow-aws-iam `v5.3.0` - servicenow-aws-kms `v5.3.0` - servicenow-aws-rds `v5.3.0` - servicenow-aws-s3 `v5.5.0` - servicenow-aws-vpc-connect `v5.3.0` - servicenow-aws-vpc-core `v5.4.0` - servicenow-aws-vpc-internet `v5.4.0` - servicenow-aws-vpc-security `v5.3.0` - servicenow-azure `v5.9.0` - servicenow-azure-activedirectory `v5.3.0` - servicenow-azure-aks `v5.4.0` - servicenow-azure-apimanagement `v5.3.0` - servicenow-azure-applicationgateway `v5.3.0` - servicenow-azure-applicationinsights `v5.3.0` - servicenow-azure-appservice `v5.3.0` - servicenow-azure-automation `v5.3.0` - servicenow-azure-compute `v5.5.0` - servicenow-azure-cosmosdb `v5.3.0` - servicenow-azure-databricks `v5.3.0` - servicenow-azure-datafactory `v5.3.0` - servicenow-azure-dns `v5.3.0` - servicenow-azure-firewall `v5.3.0` - servicenow-azure-frontdoorservice `v5.3.0` - servicenow-azure-iam `v5.3.0` - servicenow-azure-keyvault `v5.3.0` - servicenow-azure-loadbalancer `v5.3.0` - servicenow-azure-loganalytics `v5.3.0` - servicenow-azure-monitor `v5.3.0` - servicenow-azure-mysql `v5.4.0` - servicenow-azure-network `v5.7.0` - servicenow-azure-networkwatcher `v5.3.0` - servicenow-azure-postgresql `v5.4.0` - servicenow-azure-recoveryservice `v5.3.0` - servicenow-azure-relay `v5.3.0` - servicenow-azure-searchmanagement `v5.2.0` - servicenow-azure-securitycenter `v5.3.0` - servicenow-azure-servicebus `v5.3.0` - servicenow-azure-signalr `v5.3.0` - servicenow-azure-sql `v5.4.0` - servicenow-azure-sqlvirtualmachine `v5.3.0` - servicenow-azure-storage `v5.7.0` - servicenow-azure-synapseanalytics `v5.3.0` - servicenow-gcp `v5.10.0` - servicenow-gcp-appengine `v5.3.0` - servicenow-gcp-bigquery `v5.3.0` - servicenow-gcp-bigtable `v5.3.0` - servicenow-gcp-composer `v5.3.0` - servicenow-gcp-computeengine `v5.5.0` - servicenow-gcp-dataflow `v5.3.0` - servicenow-gcp-datapipeline `v5.3.0` - servicenow-gcp-dataplex `v5.3.0` - servicenow-gcp-dataproc `v5.3.0` - servicenow-gcp-dns `v5.3.0` - servicenow-gcp-functions `v5.3.0` - servicenow-gcp-iam `v5.3.0` - servicenow-gcp-kms `v5.3.0` - servicenow-gcp-kubernetesengine `v5.4.0` - servicenow-gcp-logging `v5.3.0` - servicenow-gcp-memorystore `v5.3.0` - servicenow-gcp-monitoring `v5.3.0` - servicenow-gcp-network `v5.3.0` - servicenow-gcp-pubsub `v5.3.0` - servicenow-gcp-run `v5.3.0` - servicenow-gcp-scheduler `v5.3.0` - servicenow-gcp-secretmanager `v5.3.0` - servicenow-gcp-spanner `v5.3.0` - servicenow-gcp-sql `v5.4.0` - servicenow-gcp-storage `v5.8.0` - servicenow-gcp-vertexai `v5.3.0` - servicenow-custom `v5.2.0` - servicenow-kubernetes `v5.8.0`

osquery v5.3.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 03 Nov 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

kubernetes v5.4.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 03 Nov 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

azure-virtualdesktop v5.0.0 is now available

Fri, 31 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - Azure > Virtual Desktop - Azure > Virtual Desktop > Host Pool - Azure > Virtual Desktop > Workspace _Control Types_ - Azure > Virtual Desktop > Host Pool > Active - Azure > Virtual Desktop > Host Pool > Allowed - Azure > Virtual Desktop > Host Pool > Allowed > Custom - Azure > Virtual Desktop > Host Pool > Allowed > Region - Azure > Virtual Desktop > Host Pool > CMDB - Azure > Virtual Desktop > Host Pool > Discovery - Azure > Virtual Desktop > Host Pool > Tags - Azure > Virtual Desktop > Workspace > Active - Azure > Virtual Desktop > Workspace > Allowed - Azure > Virtual Desktop > Workspace > Allowed > Custom - Azure > Virtual Desktop > Workspace > Allowed > Region - Azure > Virtual Desktop > Workspace > CMDB - Azure > Virtual Desktop > Workspace > Discovery - Azure > Virtual Desktop > Workspace > Tags _Policy Types_ - Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-virtualdesktop - Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-virtualdesktop - Azure > Virtual Desktop > Allowed Regions [Default] - Azure > Virtual Desktop > Approved Regions [Default] - Azure > Virtual Desktop > Enabled - Azure > Virtual Desktop > Host Pool > Active - Azure > Virtual Desktop > Host Pool > Active > Age - Azure > Virtual Desktop > Host Pool > Active > Last Modified - Azure > Virtual Desktop > Host Pool > Allowed - Azure > Virtual Desktop > Host Pool > Allowed > Custom - Azure > Virtual Desktop > Host Pool > Allowed > Custom > Rules - Azure > Virtual Desktop > Host Pool > Allowed > Region - Azure > Virtual Desktop > Host Pool > Allowed > Region > Regions - Azure > Virtual Desktop > Host Pool > CMDB - Azure > Virtual Desktop > Host Pool > Regions - Azure > Virtual Desktop > Host Pool > Tags - Azure > Virtual Desktop > Host Pool > Tags > Template - Azure > Virtual Desktop > Permissions - Azure > Virtual Desktop > Permissions > Levels - Azure > Virtual Desktop > Permissions > Levels > Modifiers - Azure > Virtual Desktop > Regions - Azure > Virtual Desktop > Tags Template [Default] - Azure > Virtual Desktop > Workspace > Active - Azure > Virtual Desktop > Workspace > Active > Age - Azure > Virtual Desktop > Workspace > Active > Last Modified - Azure > Virtual Desktop > Workspace > Allowed - Azure > Virtual Desktop > Workspace > Allowed > Custom - Azure > Virtual Desktop > Workspace > Allowed > Custom > Rules - Azure > Virtual Desktop > Workspace > Allowed > Region - Azure > Virtual Desktop > Workspace > Allowed > Region > Regions - Azure > Virtual Desktop > Workspace > CMDB - Azure > Virtual Desktop > Workspace > Regions - Azure > Virtual Desktop > Workspace > Tags - Azure > Virtual Desktop > Workspace > Tags > Template _Action Types_ - Azure > Virtual Desktop > Host Pool > Delete - Azure > Virtual Desktop > Host Pool > Router - Azure > Virtual Desktop > Host Pool > Set Tags - Azure > Virtual Desktop > Workspace > Delete - Azure > Virtual Desktop > Workspace > Router - Azure > Virtual Desktop > Workspace > Set Tags Note: We recommend updating the `@turbot/azure-provider` mod to `v5.19.1` for proper functionality.

azure-provider v5.20.0 - Track and manage Cognitive Services resource provider in Guardrails

Fri, 31 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - Azure > Provider > Cognitive Services _Control Types_ - Azure > Provider > Cognitive Services > CMDB - Azure > Provider > Cognitive Services > Discovery - Azure > Provider > Cognitive Services > Registered _Policy Types_ - Azure > Provider > Cognitive Services > CMDB - Azure > Provider > Cognitive Services > Registered _Action Types_ - Azure > Provider > Cognitive Services > Set Registered

azure-provider v5.19.1 - Real-time register and unregister events for Virtual Desktop provider will now be processed correctly

Fri, 31 Oct 2025 09:00:00 GMT

_Bug fixes_ - Guardrails would fail to process real-time register and unregister events for Virtual Desktop provider. This is now fixed.

azure-cosmosdb v5.13.0 - Configure public network access for database accounts

Fri, 31 Oct 2025 09:00:00 GMT

_What's new?_ - You can now configure public network access for database accounts. To get started, set the `Azure > Cosmos DB > Database Account > Public Network Access` policy. _Control Types_ - Azure > Cosmos DB > Database Account > Public Network Access _Policy Types_ - Azure > Cosmos DB > Database Account > Public Network Access _Action Types_ - Azure > Cosmos DB > Database Account > Set Public Network Access

aws-ec2 v5.48.1 - Fixed policy mappings in various control types

Fri, 31 Oct 2025 09:00:00 GMT

_Bug fixes_ - Fixed policy mappings in various control types.

azure-synapseanalytics v5.14.0 - Configure advanced data security for workspaces

Thu, 30 Oct 2025 09:00:00 GMT

_What's new?_ - You can now configure advanced data security for workspaces. To get started, set the `Azure > Synapse Analytics > Workspace > Advanced Data Security > *` policies. _Control Types_ - Azure > Synapse Analytics > Workspace > Advanced Data Security _Policy Types_ - Azure > Synapse Analytics > Workspace > Advanced Data Security - Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection - Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Notify Admins - Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Types - Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Types > Email Addresses - Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment - Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans - Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses - Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify Admins - Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Storage Account _Action Types_ - Azure > Synapse Analytics > Workspace > Update Advanced Data Security

azure-automation v5.5.0 - Configure public network access for automation accounts

Thu, 30 Oct 2025 09:00:00 GMT

_What's new?_ - You can now configure public network access for automation accounts. To get started, set the `Azure > Automation > Automation Account > Public Network Access` policy. _Control Types_ - Azure > Automation > Automation Account > Public Network Access _Policy Types_ - Azure > Automation > Automation Account > Public Network Access _Action Types_ - Azure > Automation > Automation Account > Set Public Network Access

gcp v5.33.1 - Added support to process real-time enable and disable events for Vertex AI API

Wed, 29 Oct 2025 09:00:00 GMT

_Bug fixes_ - Added support to process enable and disable real-time events for Vertex AI API via Service Usage APIs.

aws-bedrock v5.3.1 - Unsupported regions for Bedrock custom model are now removed from the regions policy

Wed, 29 Oct 2025 09:00:00 GMT

_Bug fixes_ - Unsupported regions were inadvertently included in the `AWS > Bedrock > Custom Model > Regions` policy, which led to the `AWS > Bedrock > Custom Model > Discovery` control being in an error state for those regions. We've now removed the unsupported regions from the Regions policy.

github v5.4.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 28 Oct 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

azure-provider v5.19.0 - Track and manage Virtual Desktop resource provider in Guardrails

Mon, 27 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - Azure > Provider > Virtual Desktop _Control Types_ - Azure > Provider > Virtual Desktop > CMDB - Azure > Provider > Virtual Desktop > Discovery - Azure > Provider > Virtual Desktop > Registered _Policy Types_ - Azure > Provider > Virtual Desktop > CMDB - Azure > Provider > Virtual Desktop > Registered _Action Types_ - Azure > Provider > Virtual Desktop > Set Registered

aws-cognito v5.3.0 - Track and manage identity pool resources in Guardrails

Mon, 27 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > Cognito > Identity Pool _Control Types_ - AWS > Cognito > Identity Pool > Active - AWS > Cognito > Identity Pool > Allowed - AWS > Cognito > Identity Pool > Allowed > Custom - AWS > Cognito > Identity Pool > Allowed > Region - AWS > Cognito > Identity Pool > CMDB - AWS > Cognito > Identity Pool > Classic Authentication Flow - AWS > Cognito > Identity Pool > Discovery - AWS > Cognito > Identity Pool > Guest Access - AWS > Cognito > Identity Pool > Tags _Policy Types_ - AWS > Cognito > Allowed Regions [Default] - AWS > Cognito > Identity Pool > Active - AWS > Cognito > Identity Pool > Active > Age - AWS > Cognito > Identity Pool > Active > Last Modified - AWS > Cognito > Identity Pool > Allowed - AWS > Cognito > Identity Pool > Allowed > Custom - AWS > Cognito > Identity Pool > Allowed > Custom > Rules - AWS > Cognito > Identity Pool > Allowed > Region - AWS > Cognito > Identity Pool > Allowed > Region > Regions - AWS > Cognito > Identity Pool > CMDB - AWS > Cognito > Identity Pool > Classic Authentication Flow - AWS > Cognito > Identity Pool > Guest Access - AWS > Cognito > Identity Pool > Regions - AWS > Cognito > Identity Pool > Tags - AWS > Cognito > Identity Pool > Tags > Template - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-cognito _Action Types_ - AWS > Cognito > Identity Pool > Delete - AWS > Cognito > Identity Pool > Router - AWS > Cognito > Identity Pool > Update Classic Authentication Flow - AWS > Cognito > Identity Pool > Update Guest Access - AWS > Cognito > Identity Pool > Update Tags Note: We recommend updating the `@turbot/aws` mod to `v5.40.0` for proper functionality.

aws-ec2 v5.48.0 - Migrated lambda functions for AMI to use AWS SDK v3

Sat, 25 Oct 2025 09:00:00 GMT

_What's new?_ - `AWS > EC2 > AMI > *` Lambda functions have been migrated to use AWS SDK v3, reducing the mod package size and improving deployment efficiency. You will not notice any differences, and things will continue to work smoothly as before.

azure v5.34.0 - Regions default value is now available for allowed controls

Fri, 24 Oct 2025 09:00:00 GMT

_What's new?_ _Policy Types_ - Azure > Subscription > Allowed Regions [Default]

aws-secretsmanager v5.11.1 - Real-time event handlers now process tagging events for secrets correctly

Fri, 24 Oct 2025 09:00:00 GMT

_Bug fixes_ - The real-time Event Handlers would fail to process tagging events for `AWS > Secrets Manager > Secret` resources. This is now fixed.

azure-sql v5.21.0 - Virtual network rules details will now be available in CMDB for servers

Wed, 22 Oct 2025 09:00:00 GMT

_What's new?_ - Virtual network rules details will now be available in CMDB for servers.

aws-lambda v5.19.1 - Function URL auth type control will now transition to a skipped state when no function URL is configured

Wed, 22 Oct 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > Lambda > Function > URL Auth Type` control previously entered an invalid state when a Function URL was not configured. This issue has now been resolved and the control will correctly transition to a skipped state in such cases.

aws-dynamodb v5.17.1 - Encryption at rest control for tables will now transition to an invalid state when encryption was enforced on global table replicas

Wed, 22 Oct 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > DynamoDB > Table > Encryption at Rest` control previously remained incorrectly in an alarm state when encryption was enforced on Global Table replicas. This issue has been resolved; the control now transitions to an invalid state for replicas, as AWS Global Tables require a single, coordinated cross-region encryption update rather than per-replica changes.

aws-neptune v5.7.0 - Track and manage cluster snapshot resources in Guardrails

Fri, 17 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > Neptune > DB Cluster Snapshot _Control Types_ - AWS > Neptune > DB Cluster Snapshot > Active - AWS > Neptune > DB Cluster Snapshot > Allowed - AWS > Neptune > DB Cluster Snapshot > Allowed > Custom - AWS > Neptune > DB Cluster Snapshot > Allowed > Region - AWS > Neptune > DB Cluster Snapshot > CMDB - AWS > Neptune > DB Cluster Snapshot > Discovery - AWS > Neptune > DB Cluster Snapshot > Tags - AWS > Neptune > DB Cluster Snapshot > Usage _Policy Types_ - AWS > Neptune > Allowed Regions [Default] - AWS > Neptune > DB Cluster Snapshot > Active - AWS > Neptune > DB Cluster Snapshot > Active > Age - AWS > Neptune > DB Cluster Snapshot > Active > Last Modified - AWS > Neptune > DB Cluster Snapshot > Allowed - AWS > Neptune > DB Cluster Snapshot > Allowed > Custom - AWS > Neptune > DB Cluster Snapshot > Allowed > Custom > Rules - AWS > Neptune > DB Cluster Snapshot > Allowed > Region - AWS > Neptune > DB Cluster Snapshot > Allowed > Region > Regions - AWS > Neptune > DB Cluster Snapshot > CMDB - AWS > Neptune > DB Cluster Snapshot > Regions - AWS > Neptune > DB Cluster Snapshot > Tags - AWS > Neptune > DB Cluster Snapshot > Tags > Template - AWS > Neptune > DB Cluster Snapshot > Usage - AWS > Neptune > DB Cluster Snapshot > Usage > Limit _Action Types_ - AWS > Neptune > DB Cluster Snapshot > Delete - AWS > Neptune > DB Cluster Snapshot > Delete from AWS - AWS > Neptune > DB Cluster Snapshot > Router - AWS > Neptune > DB Cluster Snapshot > Set Tags - AWS > Neptune > DB Cluster Snapshot > Skip alarm for Active control - AWS > Neptune > DB Cluster Snapshot > Skip alarm for Active control [90 days] - AWS > Neptune > DB Cluster Snapshot > Skip alarm for Tags control - AWS > Neptune > DB Cluster Snapshot > Skip alarm for Tags control [90 days] - AWS > Neptune > DB Cluster Snapshot > Update Tags Note: We recommend updating the `@turbot/aws-rds` mod to `v5.32.2` and the `@turbot/aws` mod to `v5.40.0` for proper functionality.

Turbot Guardrails Enterprise (TE) v5.54.2 - Prevent materialization failures from bad policy type mappings

Thu, 16 Oct 2025 09:00:00 GMT

_Bug fixes_ - Server: - Materialization now handles invalid policy type mappings gracefully by skipping them instead of failing. _Requirements_ - Upgrade to `5.54.2` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.53.6 - Policy pack enhancements and UI fixes

Thu, 16 Oct 2025 09:00:00 GMT

_What's new?_ - UI - Added Terraform import block generation to policy pack developer tab alongside existing import commands. _Bug fixes_ - UI - Control page policy lists now show complete trunk names without cutting them off. - Resource page alert counts now accurately reflect the actual number of alerts _Requirements_ - Upgrade to `5.53.6` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-rds v5.32.2 - Updated permissions to support real-time event processing for DB cluster snapshot resources used by Neptune and DocDB services

Thu, 16 Oct 2025 09:00:00 GMT

_Bug fixes_ - Updated permissions to support real-time event processing for DB cluster snapshot resources used by Neptune and DocDB services.

aws-docdb v5.5.0 - Track and manage cluster snapshot resources in Guardrails

Thu, 16 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > Doc DB > DB Cluster Snapshot _Control Types_ - AWS > Doc DB > DB Cluster Snapshot > Active - AWS > Doc DB > DB Cluster Snapshot > Allowed - AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom - AWS > Doc DB > DB Cluster Snapshot > Allowed > Region - AWS > Doc DB > DB Cluster Snapshot > CMDB - AWS > Doc DB > DB Cluster Snapshot > Discovery - AWS > Doc DB > DB Cluster Snapshot > Tags - AWS > Doc DB > DB Cluster Snapshot > Usage _Policy Types_ - AWS > Doc DB > Allowed Regions [Default] - AWS > Doc DB > DB Cluster Snapshot > Active - AWS > Doc DB > DB Cluster Snapshot > Active > Age - AWS > Doc DB > DB Cluster Snapshot > Active > Budget - AWS > Doc DB > DB Cluster Snapshot > Active > Last Modified - AWS > Doc DB > DB Cluster Snapshot > Allowed - AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom - AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom > Rules - AWS > Doc DB > DB Cluster Snapshot > Allowed > Region - AWS > Doc DB > DB Cluster Snapshot > Allowed > Region > Regions - AWS > Doc DB > DB Cluster Snapshot > CMDB - AWS > Doc DB > DB Cluster Snapshot > Regions - AWS > Doc DB > DB Cluster Snapshot > Tags - AWS > Doc DB > DB Cluster Snapshot > Tags > Template - AWS > Doc DB > DB Cluster Snapshot > Usage - AWS > Doc DB > DB Cluster Snapshot > Usage > Limit _Action Types_ - AWS > Doc DB > DB Cluster Snapshot > Delete - AWS > Doc DB > DB Cluster Snapshot > Delete from AWS - AWS > Doc DB > DB Cluster Snapshot > Router - AWS > Doc DB > DB Cluster Snapshot > Set Tags - AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Active control - AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Active control [90 days] - AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Tags control - AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Tags control [90 days] - AWS > Doc DB > DB Cluster Snapshot > Update Tags Note: We recommend updating the `@turbot/aws-rds` mod to `v5.32.2` and the `@turbot/aws` mod to `v5.40.0` for proper functionality.

azure-synapseanalytics v5.13.0 - Firewall rules details will now be available in CMDB for workspaces

Wed, 15 Oct 2025 09:00:00 GMT

_What's new?_ - Firewall rules details will now be available in CMDB for workspaces. - Security alert policy and vulnerability assessments details will now be available in CMDB for workspaces.

azure-redis v5.1.0 - Firewall rules details will now be available in CMDB for redis cache

Wed, 15 Oct 2025 09:00:00 GMT

_What's new?_ - Firewall rules details will now be available in CMDB for redis cache.

azure-mysql v5.19.0 - Firewall rules details will now be available in CMDB for flexible servers

Wed, 15 Oct 2025 09:00:00 GMT

_What's new?_ - Firewall rules details will now be available in CMDB for flexible servers.

Turbot Guardrails Enterprise (TE) v5.53.5 - Turbot > Notifications > Rule-Based Routing now supports using Turbot > File resources as notification templates

Mon, 13 Oct 2025 09:00:00 GMT

_What's new?_ - Server - `Turbot > Notifications > Rule-Based Routing` now supports using `Turbot > File` resources as notification templates — update the `@turbot/turbot` mod to `v5.56.1` or later to enable this feature. _Requirements_ - Upgrade to `5.53.5` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.53.4 - Infrastructure and maintenance updates

Thu, 09 Oct 2025 09:00:00 GMT

_Bug fixes_ - Server - Redis/Valkey connection management now tracks connection creation times for improved visibility and connection lifecycle tracking. - Maintenance container logic refined to avoid errors when attempting to drop unique index constraints. _Requirements_ - Upgrade to `5.53.4` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-lambda v5.19.0 - Manage trusted access for layers

Thu, 09 Oct 2025 09:00:00 GMT

_What's new?_ - Users can now manage trusted access for layers. To get started, set the `AWS > Lambda > Function > Layer Trusted Access > *` policies. _Control Types_ - AWS > Lambda > Function > Layer Trusted Access _Policy Types_ - AWS > Lambda > Function > Layer Trusted Access - AWS > Lambda > Function > Layer Trusted Access > Accounts _Action Types_ - AWS > Lambda > Function > Set Layer Trusted Access

aws v5.40.0 - Regions default value is now available for allowed controls

Wed, 08 Oct 2025 09:00:00 GMT

_What's new?_ _Policy Types_ - AWS > Account > Allowed Regions [Default]

aws-iam v5.47.0 - Remove unallowed access keys from the CMDB

Wed, 08 Oct 2025 09:00:00 GMT

_What's new?_ - You can now remove unallowed access keys from the CMDB. To get started, set the `AWS > IAM > Access Key > Allowed > *` policies. _Control Types_ - AWS > IAM > Access Key > Allowed - AWS > IAM > Access Key > Allowed > Custom _Policy Types_ - AWS > IAM > Access Key > Allowed - AWS > IAM > Access Key > Allowed > Custom - AWS > IAM > Access Key > Allowed > Custom > Rules

azure-redis v5.0.0 is now available

Mon, 06 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - Azure > Redis - Azure > Redis > Redis Cache _Control Types_ - Azure > Redis > Redis Cache > Active - Azure > Redis > Redis Cache > CMDB - Azure > Redis > Redis Cache > Discovery - Azure > Redis > Redis Cache > Tags _Policy Types_ - Azure > Redis > Approved Regions [Default] - Azure > Redis > Enabled - Azure > Redis > Permissions - Azure > Redis > Permissions > Levels - Azure > Redis > Permissions > Levels > Modifiers - Azure > Redis > Redis Cache > Active - Azure > Redis > Redis Cache > Active > Age - Azure > Redis > Redis Cache > Active > Last Modified - Azure > Redis > Redis Cache > CMDB - Azure > Redis > Redis Cache > Regions - Azure > Redis > Redis Cache > Tags - Azure > Redis > Redis Cache > Tags > Template - Azure > Redis > Regions - Azure > Redis > Tags Template [Default] - Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-redis - Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-redis _Action Types_ - Azure > Redis > Redis Cache > Delete - Azure > Redis > Redis Cache > Router - Azure > Redis > Redis Cache > Set Tags

azure-provider v5.18.0 - Track and manage Redis resource provider in Guardrails

Mon, 06 Oct 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - Azure > Provider > Redis _Control Types_ - Azure > Provider > Redis > CMDB - Azure > Provider > Redis > Discovery - Azure > Provider > Redis > Registered _Policy Types_ - Azure > Provider > Redis > CMDB - Azure > Provider > Redis > Registered _Action Types_ - Azure > Provider > Redis > Set Registered

azure-containerregistry v5.7.0 - Configure anonymous pull access for registries

Mon, 06 Oct 2025 09:00:00 GMT

_What's new?_ - You can now configure anonymous pull access for registries. To get started, set the `Azure > Container Registry > Registry > Anonymous Pull Access` policy. _Control Types_ - Azure > Container Registry > Registry > Anonymous Pull Access _Policy Types_ - Azure > Container Registry > Registry > Anonymous Pull Access _Action Types_ - Azure > Container Registry > Registry > Set Anonymous Pull Access

aws-pciv3-2-1 v5.1.1 - Controls for Lambda functions now use updated CMDB references in internal GraphQL queries

Fri, 26 Sep 2025 09:00:00 GMT

_Bug fixes_ - Controls for Lambda functions now use updated CMDB references in internal GraphQL queries. You will not notice any differences, and things will continue to work smoothly as before.

aws-opensearch v5.3.0 - Configure anonymous auth for domains

Fri, 26 Sep 2025 09:00:00 GMT

_What's new?_ - You can now configure anonymous auth for domains. To get started, set the `AWS > OpenSearch > Domain > Anonymous Auth` policy. _Control Types_ - AWS > OpenSearch > Domain > Anonymous Auth _Policy Types_ - AWS > OpenSearch > Domain > Anonymous Auth _Action Types_ - AWS > OpenSearch > Domain > Disable Anonymous Auth

aws-lambda v5.18.0 - Configure URL auth type for functions

Fri, 26 Sep 2025 09:00:00 GMT

_What's new?_ - You can now configure URL auth type for functions. To get started, set the `AWS > Lambda > Function > URL Auth Type` policy. _Bug fixes_ - Fixed action and control mappings in various control types and policy types. - We've removed the redundant `Configuration` details for functions from the CMDB. We recommend updating your existing policy settings to reference the top-level attributes from the CMDB data instead. **Removed:** In AWS > Lambda > Function: - `Configuration` _Control Types_ - AWS > Lambda > Function > URL Auth Type _Policy Types_ - AWS > Lambda > Function > URL Auth Type _Action Types_ - AWS > Lambda > Function > Update URL Auth Type

aws-hipaa v5.2.1 - Controls for Lambda functions now use updated CMDB references in internal GraphQL queries

Fri, 26 Sep 2025 09:00:00 GMT

_Bug fixes_ - Controls for Lambda functions now use updated CMDB references in internal GraphQL queries. You will not notice any differences, and things will continue to work smoothly as before.

aws-ec2 v5.47.1 - Real-time events for account attributes will now be processed more reliably

Fri, 26 Sep 2025 09:00:00 GMT

_Bug fixes_ - Guardrails would sometimes fail to process the real-time `ec2:DisableSnapshotBlockPublicAccess` event for EC2 Account Attributes correctly. This is now fixed.

Turbot Guardrails Enterprise (TE) v5.54.1 - Resolved an issue where creating policy values could hang when related policies had no targets

Thu, 25 Sep 2025 09:00:00 GMT

_Bug fixes_ - Server - Resolved an issue where creating policy values could hang when related policies had no targets. - UI - Policy value cards are now better aligned, improving readability and visual consistency. - Smoothed out the header experience on the resources page by removing flicker. _Requirements_ - Upgrade to `5.54.1` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ - Alpine: 3.17.5 - Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.53.3 - Increased type installation limit from 600 to 1500

Thu, 25 Sep 2025 09:00:00 GMT

_What's new?_ - Server - Increased type installation limit from 600 to 1500. _Bug fixes_ - UI - Policy value cards are now better aligned, improving readability and visual consistency. - Smoothed out the header experience on the resources page by removing flicker. _Requirements_ - Upgrade to `5.53.3` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.54.0 - Smarter control and policy value creation

Tue, 23 Sep 2025 09:00:00 GMT

_What's new?_ You now have more control over when Guardrails creates controls and policy values based on policy settings. Previously, Guardrails would evaluate all possible controls for every resource by default. With this release, Guardrails can be configured to only create controls impacted by policy settings, improving both user experience and backend performance. The `Turbot > Materialization` policy supports two modes: - **Always** (Default) — Create controls and policy values for all applicable resources, even if no setting exists. This matches legacy behavior. - **Automatic** — Create controls and policy values only if a setting is explicitly defined for the primary policy. This can significantly reduce noise and improve performance. Note that some types, such as those used to discover resources and configure accounts, are always created regardless of the materialization mode. To get started, we recommend setting the `Turbot > Materialization` policy to `Automatic` and updating any cloud mods currently installed, like `aws`, `aws-s3`, `azure`, to their latest versions. In the upcoming TE version, the default for the `Turbot > Materialization` policy will change from `Always` to `Automatic`. To retain the existing behavior, set the `Turbot > Materialization` policy to `Always` before upgrading to the next TE version. _Requirements_ - Upgrade to `5.54.0` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ - Alpine: 3.17.5 - Ubuntu: 22.04.3

turbot v5.56.0 - Added the `Turbot > Materialization` policy to control when Guardrails creates controls and policy values

Tue, 23 Sep 2025 09:00:00 GMT

_What's new?_ - Added the `Turbot > Materialization` policy to control when Guardrails creates controls and policy values, with modes for `Always` (legacy behavior) and `Automatic` (create only when explicitly set), reducing noise and improving performance. _Control Types_ - Turbot > Policy Pack > Materialize - Turbot > Guardrail > Materialize - Turbot > Materialize _Policy Types_ - Turbot > Materialization - Renamed - Turbot > Notifications > Email > CC > Tag > Name to Turbot > Notifications > Email > CC > Tag Name. - Deprecated - Turbot > Notifications > Email > CC > Tag _Requirements_ - TE: 5.35.4

azure-cosmosdb v5.12.0 - Configure key based metadata write access for database accounts

Tue, 23 Sep 2025 09:00:00 GMT

_What's new?_ - You can now configure key based metadata write access for database accounts. To get started, set the `Azure > Cosmos DB > Database Account > Key Based Metadata Write Access` policy. _Control Types_ - Azure > Cosmos DB > Database Account > Key Based Metadata Write Access _Policy Types_ - Azure > Cosmos DB > Database Account > Key Based Metadata Write Access _Action Types_ - Azure > Cosmos DB > Database Account > Set Key Based Metadata Write Access

aws-kms v5.21.1 - Migrated all Lambda functions to use AWS SDK v3

Tue, 23 Sep 2025 09:00:00 GMT

_Bug fixes_ - All Lambda functions have been migrated to use AWS SDK v3, reducing the mod package size and improving deployment efficiency. You will not notice any differences, and things will continue to work smoothly as before.

Turbot Guardrails Enterprise (TE) v5.53.2 - Added support for importing GitHub Enterprise organizations

Mon, 22 Sep 2025 09:00:00 GMT

_What's new?_ - Server - GitHub integration now supports importing GitHub Enterprise organizations, expanding coverage for enterprise users. - UI - The main dashboard’s resource list is now split into favorites and accounts for easier navigation and prioritization. - The GitHub import page now includes support for GitHub Enterprise. _Bug fixes_ - Server - Resolved an issue that could prevent confirmation of SNS subscriptions during event handler setup for accounts. - Resolved issues with incorrect index mapping definitions in the maintenance container. - UI - Improved UI consistency and usability across policy value cards, control actions, and resource control lists. _Requirements_ - Upgrade to `5.53.2` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-opensearch v5.2.0 - Track and manage domain resources in Guardrails

Mon, 22 Sep 2025 09:00:00 GMT

_What's new?_ - Track and manage domain resources in Guardrails. _Resource Types_ - AWS > OpenSearch > Domain _Control Types_ - AWS > OpenSearch > Domain > Active - AWS > OpenSearch > Domain > Approved - AWS > OpenSearch > Domain > CMDB - AWS > OpenSearch > Domain > Discovery - AWS > OpenSearch > Domain > Tags _Policy Types_ - AWS > OpenSearch > Domain > Active - AWS > OpenSearch > Domain > Active > Age - AWS > OpenSearch > Domain > Active > Last Modified - AWS > OpenSearch > Domain > Approved - AWS > OpenSearch > Domain > Approved > Custom - AWS > OpenSearch > Domain > Approved > Regions - AWS > OpenSearch > Domain > Approved > Usage - AWS > OpenSearch > Domain > CMDB - AWS > OpenSearch > Domain > Regions - AWS > OpenSearch > Domain > Tags - AWS > OpenSearch > Domain > Tags > Template - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-opensearch _Action Types_ - AWS > OpenSearch > Domain > Delete - AWS > OpenSearch > Domain > Delete from AWS - AWS > OpenSearch > Domain > Router - AWS > OpenSearch > Domain > Set Tags - AWS > OpenSearch > Domain > Skip alarm for Active control - AWS > OpenSearch > Domain > Skip alarm for Active control [90 days] - AWS > OpenSearch > Domain > Skip alarm for Approved control - AWS > OpenSearch > Domain > Skip alarm for Approved control [90 days] - AWS > OpenSearch > Domain > Skip alarm for Tags control - AWS > OpenSearch > Domain > Skip alarm for Tags control [90 days] - AWS > OpenSearch > Domain > Update Tags

Intelligent Assessment controls now also support OpenAI GPT-5 and Anthropic Claude Opus 4.1 models

Fri, 19 Sep 2025 09:00:00 GMT

_What's new?_ - Intelligent Assessment controls now also support OpenAI GPT-5 and Anthropic Claude Opus 4.1 models. - All policy types across AWS, Azure, GCP, GitHub, Kubernetes, and ServiceNow mods now have an associated class. You will not notice any differences, and everything will continue to function smoothly as before. _Bug fixes_ - Support for the contactable interface has been removed from all resource types except AWS Account, Azure Subscription, and GCP Project. As a result, the `Turbot > Notifications > Email > CC > Tag Name` policy can no longer be explicitly set for the affected resource types.

azure-containerregistry v5.6.0 - Configure public network access for registries

Fri, 19 Sep 2025 09:00:00 GMT

_What's new?_ - You can now configure public network access for registries. To get started, set the `Azure > Container Registry > Registry > Public Network Access` policy. _Control Types_ - Azure > Container Registry > Registry > Public Network Access _Policy Types_ - Azure > Container Registry > Registry > Public Network Access _Action Types_ - Azure > Container Registry > Registry > Set Public Network Access

azure-cisv3-0 v5.0.1 - Various controls will now evaluate their dependent policies correctly

Fri, 19 Sep 2025 09:00:00 GMT

_Bug fixes_ - Various controls sometimes failed to evaluate their dependent policies correctly, which led to the controls failing without explicitly throwing errors. This issue has been fixed, and such controls will now work as expected.

azure-apimanagement v5.8.0 - Configure public network access for API management services

Fri, 19 Sep 2025 09:00:00 GMT

_What's new?_ - You can now configure public network access for API management services. To get started, set the `Azure > API Management > API Management Service > Public Network Access` policy. _Control Types_ - Azure > API Management > API Management Service > Public Network Access _Policy Types_ - Azure > API Management > API Management Service > Public Network Access _Action Types_ - Azure > API Management > API Management Service > Set Public Network Access

github v5.3.0 - Import GitHub Enterprise organizations in Guardrails

Thu, 18 Sep 2025 09:00:00 GMT

_What's new?_ - You can now import GitHub Enterprise organizations in Guardrails. To get started, select GitHub Enterprise Organization from the Connect screen and configure details. We recommend upgrading TE to v5.53.2 for this change to take effect. - Added support for `class` attribute for various policy types. _Policy Types_ - GitHub > Config > Base URL

aws-iam v5.46.0 - Track and manage service specific credential resources in Guardrails

Thu, 18 Sep 2025 09:00:00 GMT

_Resource Types_ - AWS > IAM > Service Specific Credential _Control Types_ - AWS > IAM > Service Specific Credential > Active - AWS > IAM > Service Specific Credential > Approved - AWS > IAM > Service Specific Credential > CMDB - AWS > IAM > Service Specific Credential > Discovery _Policy Types_ - AWS > IAM > Service Specific Credential > Active - AWS > IAM > Service Specific Credential > Active > Age - AWS > IAM > Service Specific Credential > Active > Last Modified - AWS > IAM > Service Specific Credential > Approved - AWS > IAM > Service Specific Credential > Approved > Custom - AWS > IAM > Service Specific Credential > Approved > Usage - AWS > IAM > Service Specific Credential > CMDB _Action Types_ - AWS > IAM > Service Specific Credential > Delete - AWS > IAM > Service Specific Credential > Delete from AWS - AWS > IAM > Service Specific Credential > Router - AWS > IAM > Service Specific Credential > Skip alarm for Active control - AWS > IAM > Service Specific Credential > Skip alarm for Active control [90 days] - AWS > IAM > Service Specific Credential > Skip alarm for Approved control - AWS > IAM > Service Specific Credential > Skip alarm for Approved control [90 days]

aws-bedrock v5.3.0 - Configure encryption at rest for agents

Tue, 16 Sep 2025 09:00:00 GMT

_What's new?_ - You can now configure Encryption at Rest for agents. To get started, set the `AWS > Bedrock > Agent > Encryption at Rest > *` policies. _Bug fixes_ - The `promptOverrideConfiguration.promptConfigurations` attribute for agents has now been made dynamic to avoid unnecessary notifications in the activity tab. _Control Types_ - AWS > Bedrock > Agent > Encryption at Rest _Policy Types_ - AWS > Bedrock > Agent > Encryption at Rest - AWS > Bedrock > Agent > Encryption at Rest > Customer Managed Key _Action Types_ - AWS > Bedrock > Agent > Update Encryption at Rest

Turbot Guardrails Enterprise (TE) v5.53.1 - Added support for the class property in policy types

Thu, 11 Sep 2025 09:00:00 GMT

_What's new?_ - Server - Added support for the class property in policy types. _Requirements_ - Upgrade to `5.53.1` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-codeartifact v5.0.2 - Fixed service title to `CodeArtifact`

Thu, 11 Sep 2025 09:00:00 GMT

_Bug fixes_ - Fixed service title to `CodeArtifact`. _Resource Types_ _Renamed_ - AWS > Code Artifact to AWS > CodeArtifact _Policy Types_ _Renamed_ - AWS > Code Artifact > API Enabled to AWS > CodeArtifact > API Enabled - AWS > Code Artifact > Enabled to AWS > CodeArtifact > Enabled - AWS > Code Artifact > Permissions to AWS > CodeArtifact > Permissions - AWS > Code Artifact > Permissions > Levels to AWS > CodeArtifact > Permissions > Levels - AWS > Code Artifact > Permissions > Levels > Modifiers to AWS > CodeArtifact > Permissions > Levels > Modifiers - AWS > Code Artifact > Permissions > Lockdown to AWS > CodeArtifact > Permissions > Lockdown - AWS > Code Artifact > Permissions > Lockdown > API Boundary to AWS > CodeArtifact > Permissions > Lockdown > API Boundary

aws-codeartifact v5.0.1 - Removed the unnecessary event sources policy

Wed, 10 Sep 2025 09:00:00 GMT

_Bug fixes_ - Removed the unnecessary `AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact` policy. _Policy Types_ _Removed_ - AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact

aws-codeartifact v5.0.0 is now available

Wed, 10 Sep 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > Code Artifact _Policy Types_ - AWS > Code Artifact > API Enabled - AWS > Code Artifact > Enabled - AWS > Code Artifact > Permissions - AWS > Code Artifact > Permissions > Levels - AWS > Code Artifact > Permissions > Levels > Modifiers - AWS > Code Artifact > Permissions > Lockdown - AWS > Code Artifact > Permissions > Lockdown > API Boundary - AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-codeartifact - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-codeartifact - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-codeartifact

Turbot Guardrails Enterprise (TE) v5.52.5 - Azure credential resolver now supports storage authentication

Mon, 08 Sep 2025 09:00:00 GMT

_What's new?_ - Server - Added support for the Storage token audience in the Azure credential resolver. _Bug fixes_ - Server - Creating a new workspace now correctly adds the missing policy pack (aka) for Smart Folder resource types. - Numeric values in wildcard tag filters are now processed correctly. _Requirements_ - Upgrade to `5.52.5` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-storage v5.29.0 - CMDB control for storage accounts no longer requires the `listkeys` permission on storage accounts to fetch details for blob, queue, and file share services

Mon, 08 Sep 2025 09:00:00 GMT

_What's new?_ - The `Azure > Storage > Storage Account > CMDB` no longer requires the `listkeys` permission on storage accounts to fetch details for Blob, Queue, and File Share services. We recommend upgrading TE to `v5.52.5` for this change to take effect.

aws-s3 v5.32.3 - Encryption in transit control will check only for the relevant encryption in transit condition without explicitly matching on the Sid

Mon, 08 Sep 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > S3 > Bucket > Encryption In Transit` control previously required an Encryption in Transit policy statement with the Sid `MustBeEncryptedInTransit` and the condition `"aws:SecureTransport": "false"`. This sometimes caused the control to incorrectly enter an alarm state when the bucket had the correct condition but a different Sid. The control has been updated to check only for the relevant Encryption in Transit condition, without explicitly requiring the Sid `MustBeEncryptedInTransit`.

azure-storage v5.28.1 - Soft Delete control will no longer attempt to apply soft delete settings if Guardrails does not have the required permissions to read or write soft delete data

Wed, 03 Sep 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Storage > Storage Account > Data Protection > Soft Delete` control will no longer attempt to apply soft delete settings if Guardrails does not have the required permissions to read or write soft delete data. Instead, it will transition to an invalid state.

gcp-bigquery v5.10.0 - Manage trusted access for datasets

Fri, 29 Aug 2025 09:00:00 GMT

_What's new?_ - Users can now manage trusted access for datasets. To get started, set the `GCP > BigQuery > Dataset > Policy > Trusted Access > *` policies. _Control Types_ - GCP > BigQuery > Dataset > Policy - GCP > BigQuery > Dataset > Policy > Trusted Access _Policy Types_ - GCP > BigQuery > Dataset > Policy - GCP > BigQuery > Dataset > Policy > Trusted Access - GCP > BigQuery > Dataset > Policy > Trusted Access > Domains - GCP > BigQuery > Dataset > Policy > Trusted Access > Groups - GCP > BigQuery > Dataset > Policy > Trusted Access > Service Accounts - GCP > BigQuery > Dataset > Policy > Trusted Access > Users _Action Types_ - GCP > BigQuery > Dataset > Set Trusted Access

azure-postgresql v5.20.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Fri, 29 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > PostgreSQL > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Turbot Guardrails Enterprise (TE) v5.52.4 - Simplification of notification tag policy for better consistency

Thu, 28 Aug 2025 09:00:00 GMT

_What's new?_ - Server - The `Turbot > Notifications > CC > Tag` policy is no longer checked; resource tags previously specified in `Turbot > Notifications > CC > Tag > Name` are now associated with the `Account/CC` policy instead of being evaluated independently. _Bug fixes_ - Server - Policy settings now return results correctly for policies inside Policy Packs when you have valid access. _Requirements_ - Upgrade to `5.52.4` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-iam v5.21.0 - Configure and manage project role bindings for service accounts

Thu, 28 Aug 2025 09:00:00 GMT

_What's new?_ - You can now configure and manage project role bindings for service accounts. To get started, set the `GCP > IAM > Service Account > Project Role Bindings > *` policies. _Control Types_ - GCP > IAM > Service Account > Project Role Bindings - GCP > IAM > Service Account > Project Role Bindings > Approved _Policy Types_ - GCP > IAM > Service Account > Project Role Bindings - GCP > IAM > Service Account > Project Role Bindings > Approved - GCP > IAM > Service Account > Project Role Bindings > Approved > Rules _Action Types_ - GCP > IAM > Service Account > Update Project Role Bindings

azure v5.32.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Thu, 28 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Azure > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-mysql v5.17.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Thu, 28 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > MySQL > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-monitor v5.11.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Thu, 28 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Monitor > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-datafactory v5.10.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Thu, 28 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Data Factory > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-cosmosdb v5.10.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Thu, 28 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Cosmos DB > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-automation v5.3.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Thu, 28 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Automation > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

aws-cisv3-0 v5.0.6 - Controls will no longer enter invalid or TBD state when corresponding CIS policies are set to `Skip`

Mon, 25 Aug 2025 09:00:00 GMT

_Bug fixes_ - CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to `Skip`. This issue has been resolved; such controls will now correctly transition to a skipped state.

aws-cisv2-0 v5.0.5 - Controls will no longer enter invalid or TBD state when corresponding CIS policies are set to `Skip`

Mon, 25 Aug 2025 09:00:00 GMT

Turbot Guardrails Enterprise (TE) v5.53.0 - Smarter control runs based on policy dependencies

Fri, 22 Aug 2025 09:00:00 GMT

_What's new?_ - Server - Controls now wait for dependent policy values to finish processing, preventing redundant runs and duplicate execution attempts. _Bug fixes_ - Server - Restrict smart folder and policy pack to create exception if there is a top level setting available. _Requirements_ - Upgrade to `5.53.0` requires your workspace to be on `5.51.x` - TEF: 1.66.0 - TED: 1.9.1 - Mods: - @turbot/turbot: 5.55.0 _Base images_ - Alpine: 3.17.5 - Ubuntu: 22.04.3

azure-compute v5.26.0 - Configure boot diagnostics for virtual machines

Fri, 22 Aug 2025 09:00:00 GMT

_What's new?_ - You can now configure boot diagnostics for virtual machines. To get started, set the `Azure > Compute > Virtual Machine > Update Boot Diagnostics` policy. _Control Types_ - Azure > Compute > Virtual Machine > Boot Diagnostics _Policy Types_ - Azure > Compute > Virtual Machine > Boot Diagnostics - Azure > Compute > Virtual Machine > Boot Diagnostics > Custom Storage Account _Action Types_ - Azure > Compute > Virtual Machine > Update Boot Diagnostics

azure-appservice v5.15.2 - Web app and function app metadata will now also include `createdBy` details in Guardrails CMDB

Fri, 22 Aug 2025 09:00:00 GMT

_Bug fixes_ - Web App and Function App metadata will now also include `createdBy` details in Guardrails CMDB.

azure-activedirectory v5.9.1 - Discovery control for directories will run more efficiently and prevent unnecessary resource updates

Fri, 22 Aug 2025 09:00:00 GMT

_Bug fixes_ - Optimized the `Azure > Active Directory > Directory > Discovery` control to run more efficiently and prevent unnecessary resource updates, thereby reducing CMDB churn.

aws-lambda v5.16.0 - Configure organization restrictions for lambda functions

Fri, 22 Aug 2025 09:00:00 GMT

_What's new?_ - You can now configure organization restrictions for AWS Lambda function policies. To get started, configure the AWS > Lambda > Function > Policy > Trusted Access > Organization Restrictions policy accordingly. _Policy Types_ - AWS > Lambda > Function > Policy > Trusted Access > Organization Restrictions - AWS > Lambda > Trusted Organizations [Default]

turbot v5.55.0 - New guardrail and rollout resources, policies & controls (preview)

Thu, 21 Aug 2025 09:00:00 GMT

_Preview_ All of the following resource types, policy types, and control types are currently in preview and may change in future releases. - Resource Types: - Turbot > Rollout - Turbot > Guardrail - Policy Types: - Turbot > Notifications > Email > Rollout > Check Template - Turbot > Notifications > Email > Rollout > Check Template > Warning Body - Turbot > Notifications > Email > Rollout > Check Template > Warning Subject - Turbot > Notifications > Email > Rollout > Check Template > Welcome Body - Turbot > Notifications > Email > Rollout > Check Template > Welcome Subject - Turbot > Notifications > Email > Rollout > Detach Template - Turbot > Notifications > Email > Rollout > Detach Template > Warning Body - Turbot > Notifications > Email > Rollout > Detach Template > Warning Subject - Turbot > Notifications > Email > Rollout > Enforce Template - Turbot > Notifications > Email > Rollout > Enforce Template > Warning Body - Turbot > Notifications > Email > Rollout > Enforce Template > Warning Subject - Turbot > Notifications > Email > Rollout > Enforce Template > Welcome Body - Turbot > Notifications > Email > Rollout > Enforce Template > Welcome Subject - Turbot > Notifications > Email > Rollout > Preview Template - Turbot > Notifications > Email > Rollout > Preview Template > Warning Body - Turbot > Notifications > Email > Rollout > Preview Template > Warning Subject - Turbot > Notifications > Email > Rollout > Preview Template > Welcome Subject - Turbot > Notifications > Email > Rollout > Preview Template > Welcome Body - Control types - Turbot > Rollout > Events

aws-ec2 v5.46.3 - Discovery controls for target groups will no longer enter an error state when upserting a resource if the parent load balancer isn’t available in the CMDB

Thu, 21 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > EC2 > Target Group > Discovery` control could previously enter an error state when upserting a target group whose parent load balancer was not available in CMDB. We have improved this process so that all target groups are now upserted under a region, ensuring better consistency and reliability. Existing target groups under load balancers will also be moved under their respective regions automatically.

azure-storage v5.28.0 - Configure soft delete for file shares in storage accounts

Wed, 20 Aug 2025 09:00:00 GMT

_What's new?_ - You can now configure soft delete for file shares in storage accounts. To get started, configure the `Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares > *` policies accordingly. - Delete retention policy details for file share will now be available in CMDB for Storage Accounts. _Policy Types_ - Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares - Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares > Retention Days

azure-relay v5.5.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Wed, 20 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Relay > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-recoveryservice v5.9.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Wed, 20 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Recovery Service > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-keyvault v5.18.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Wed, 20 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Key Vault > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-dns v5.11.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Wed, 20 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > DNS > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-databricks v5.7.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Wed, 20 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Databricks > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-synapseanalytics v5.11.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Mon, 18 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Synapse Analytics > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-sqlvirtualmachine v5.3.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Mon, 18 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > SQL Virtual Machine Service > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-signalr v5.5.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Mon, 18 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > SignalR Service > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-servicebus v5.5.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Mon, 18 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Service Bus > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-network v5.26.1 - Bastion host discovery control now upserts resources reliably and consistently under correct resource groups

Mon, 18 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Network > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource. - The `Azure > Network > Bastion Host > Discovery` control previously could inadvertently upsert bastion hosts under incorrect resource groups. This issue has been resolved, and the control now upserts bastion hosts more reliably and consistently.

azure-loganalytics v5.12.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Mon, 18 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Log Analytics > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

aws-backup v5.13.2 - Recovery point CMDB control no longer re-runs automatically for expired recovery points

Mon, 18 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > Backup > Recovery Point > CMDB` control previously ran every minute if a recovery point’s `CalculatedLifecycle.DeleteAt` timestamp was already in the past. It now deletes expired recovery points and no longer re-runs automatically when the next tick is also in the past.

Terraform Provider v1.13.0 - Added support for tags in `turbot_policy_pack` resource

Thu, 14 Aug 2025 09:00:00 GMT

_What's new?_ - Added support for `tags` attribute in the `turbot_policy_pack` resource. This will allow users to manage tags on policy packs. Minimum version requirements: TE v5.52.3

Turbot Guardrails Enterprise (TE) v5.52.3 - Add tags support for policy pack

Thu, 14 Aug 2025 09:00:00 GMT

_What's new?_ - Server - Added support for tags in policy packs, making it easier to organize and filter them. _Note_ Upgrade to `5.52.3` requires your workspace to be on `5.51.x`; direct upgrades from older versions (e.g., 5.49.x) will fail. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp v5.32.1 - The Event Handlers Pub/Sub Source policy now evaluates reliably on project imports in Guardrails

Thu, 14 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `GCP > Turbot > Event Handlers > Pub/Sub > Source` policy could previously evaluate incorrectly immediately after a GCP Project import if the Project CMDB data was not up to date. The policy now checks the `GCP > Project > CMDB` control and evaluates only when that control has run successfully and is in an OK state, preventing incorrect results and improving clarity. - Event Poller controls now display improved help messages when the API used to fetch events returns an error, instead of only logging the errors under Activities. _Action Types_ _Removed_ - GCP > Folder > Event Poller - GCP > Organization > Event Poller - GCP > Project > Event Poller

azure-compute v5.25.1 - Tags control for various resources no longer includes unnecessary parameters in API calls when updating tags

Thu, 14 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Compute > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

aws-pciv3-2-1 v5.1.0 - Improved GraphQL queries for `EC2 > 3 Unused EC2 security groups should be removed` control

Thu, 14 Aug 2025 09:00:00 GMT

_Bug fixes_ - We have updated the internal GraphQL queries for the `AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed` control to improve performance when evaluating the control’s outcome. There are no visible changes, but things will run smoother and faster than before. Note: We recommend updating the `@turbot/aws-ec2` mod to `v5.46.2` for proper functionality. _Policy Types_ - AWS > PCI v3.2.1 > EC2 - AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed

aws-ec2 v5.46.2 - Network interfaces CMDB data now includes additional metadata for associated security groups for internal performance improvements

Thu, 14 Aug 2025 09:00:00 GMT

_Bug fixes_ - Added additional metadata for associated security groups to the CMDB data for network interfaces for internal performance improvements.

aws-logs v5.16.0 - Track and manage delivery, delivery destination, delivery source, and destination resources in Guardrails

Wed, 13 Aug 2025 09:00:00 GMT

_What's new?_ - Track and manage delivery, delivery destination, delivery source, and destination resources in Guardrails. _Resource Types_ - AWS > Logs > Delivery - AWS > Logs > Delivery Destination - AWS > Logs > Delivery Source - AWS > Logs > Destination _Control Types_ - AWS > Logs > Delivery > Active - AWS > Logs > Delivery > CMDB - AWS > Logs > Delivery > Discovery - AWS > Logs > Delivery > Tags - AWS > Logs > Delivery Destination > Active - AWS > Logs > Delivery Destination > CMDB - AWS > Logs > Delivery Destination > Discovery - AWS > Logs > Delivery Destination > Tags - AWS > Logs > Delivery Source > Active - AWS > Logs > Delivery Source > CMDB - AWS > Logs > Delivery Source > Discovery - AWS > Logs > Delivery Source > Tags - AWS > Logs > Destination > Active - AWS > Logs > Destination > CMDB - AWS > Logs > Destination > Discovery _Policy Types_ - AWS > Logs > Delivery > Active - AWS > Logs > Delivery > Active > Age - AWS > Logs > Delivery > Active > Budget - AWS > Logs > Delivery > Active > Last Modified - AWS > Logs > Delivery > CMDB - AWS > Logs > Delivery > Regions - AWS > Logs > Delivery > Tags - AWS > Logs > Delivery > Tags > Template - AWS > Logs > Delivery Destination > Active - AWS > Logs > Delivery Destination > Active > Age - AWS > Logs > Delivery Destination > Active > Budget - AWS > Logs > Delivery Destination > Active > Last Modified - AWS > Logs > Delivery Destination > CMDB - AWS > Logs > Delivery Destination > Regions - AWS > Logs > Delivery Destination > Tags - AWS > Logs > Delivery Destination > Tags > Template - AWS > Logs > Delivery Source > Active - AWS > Logs > Delivery Source > Active > Age - AWS > Logs > Delivery Source > Active > Budget - AWS > Logs > Delivery Source > Active > Last Modified - AWS > Logs > Delivery Source > CMDB - AWS > Logs > Delivery Source > Regions - AWS > Logs > Delivery Source > Tags - AWS > Logs > Delivery Source > Tags > Template - AWS > Logs > Destination > Active - AWS > Logs > Destination > Active > Age - AWS > Logs > Destination > Active > Budget - AWS > Logs > Destination > Active > Last Modified - AWS > Logs > Destination > CMDB - AWS > Logs > Destination > Regions _Action Types_ - AWS > Logs > Delivery > Delete - AWS > Logs > Delivery > Router - AWS > Logs > Delivery > Update Tags - AWS > Logs > Delivery Destination > Delete - AWS > Logs > Delivery Destination > Router - AWS > Logs > Delivery Destination > Update Tags - AWS > Logs > Delivery Source > Delete - AWS > Logs > Delivery Source > Router - AWS > Logs > Delivery Source > Update Tags - AWS > Logs > Destination > Delete - AWS > Logs > Destination > Router

aws-iam v5.44.1 - Stack control will now be able to claim existing OpenID connect providers correctly

Wed, 13 Aug 2025 09:00:00 GMT

_Bug fixes_ - Guardrails stack controls would fail to claim any existing OpenID Connect provider if the OpenID Connect provider was available in Guardrails CMDB and the stack's Source policy included the Terraform plan for the OpenID Connect provider. This is fixed and stack control will now be able to claim existing OpenID Connect providers correctly.

Turbot Guardrails Enterprise (TE) v5.52.2 - Fixed server stability issues and improved UI consistency

Tue, 12 Aug 2025 09:00:00 GMT

_What's new?_ - Server - Added retry mechanism for Mod expired URL errors. _Bug Fixes_ - Server - Turbot > Workspace > Background Tasks now ignore deleted resources. - Resolved an issue where the worker could crash while processing errors. - Addressed a cleanup script bug that was incorrectly removing active Lambda version aliases and associated topics. The script now deletes only unused resources. - UI - Saving in the calculated policy editor is now prevented if there is an error. - Alignment of `Note` in the policy tab is now consistent across all entries. - Multi-step queries in the calculated policy editor are now displayed correctly as separate steps. - Policy packs no longer show a blank page when the description is missing. - Policy Pack details screen should not show summary when AI summary is disabled. _Note_ Upgrade to `5.52.2` requires your workspace to be on `5.51.x`; direct upgrades from older versions (e.g., 5.49.x) will fail. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-storage v5.27.1 - Storage account CMDB control will no longer attempt to access table services for premium storage accounts

Tue, 12 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Storage > Storage Account > CMDB` control previously encountered errors with Premium storage accounts when attempting to access unsupported Table services. This has now been resolved.

turbot v5.54.3 - Prevent background task errors for non existent resources

Fri, 08 Aug 2025 09:00:00 GMT

_What's new?_ - Turbot > Workspace > Background Tasks will no longer go into an error state if the resource does not exist. _Requirements_ - TE: 5.35.4

azure-storage v5.27.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 08 Aug 2025 09:00:00 GMT

_What's new?_ - Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the `Stack [Native] > *` policies. _Bug fixes_ - The `Azure > Storage > Storage Account > CMDB` control now stores details of API calls that fail due to insufficient permissions granted to Guardrails' service principal. This enables Guardrails to mark controls that depend on the respective data as invalid, rather than enforcing settings unnecessarily. _Control Types_ - Azure > Storage > Storage Account > Stack [Native] _Policy Types_ - Azure > Storage > Storage Account > Stack [Native] - Azure > Storage > Storage Account > Stack [Native] > Drift Detection - Azure > Storage > Storage Account > Stack [Native] > Drift Detection > Interval - Azure > Storage > Storage Account > Stack [Native] > Modifier - Azure > Storage > Storage Account > Stack [Native] > Secret Variables - Azure > Storage > Storage Account > Stack [Native] > Source - Azure > Storage > Storage Account > Stack [Native] > Timeout - Azure > Storage > Storage Account > Stack [Native] > Variables - Azure > Storage > Storage Account > Stack [Native] > Version

azure-keyvault v5.18.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 08 Aug 2025 09:00:00 GMT

_What's new?_ - Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the `Stack [Native] > *` policies. _Control Types_ - Azure > Key Vault > Vault > Stack [Native] _Policy Types_ - Azure > Key Vault > Vault > Stack [Native] - Azure > Key Vault > Vault > Stack [Native] > Drift Detection - Azure > Key Vault > Vault > Stack [Native] > Drift Detection > Interval - Azure > Key Vault > Vault > Stack [Native] > Modifier - Azure > Key Vault > Vault > Stack [Native] > Secret Variables - Azure > Key Vault > Vault > Stack [Native] > Source - Azure > Key Vault > Vault > Stack [Native] > Timeout - Azure > Key Vault > Vault > Stack [Native] > Variables - Azure > Key Vault > Vault > Stack [Native] > Version

servicenow-gcp v5.8.1 - Fixed invalid CMDB references for region resource types causing control errors

Thu, 07 Aug 2025 09:00:00 GMT

_Bug fixes_ - Fixed invalid CMDB references for the `Zone`, `Region`, `Multi-Region`, and `Global Region` resource types that caused the `Relationships` and `Import Set` controls to enter an error state. The controls now run reliably without errors.

aws v5.38.1 - Budget control will no longer run unnecessarily when notifications are enabled in the workspaces

Thu, 07 Aug 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > Account > Budget > Budget` control previously reran unnecessarily in workspaces with `Turbot > Notifications` enabled. This issue has been resolved, and the control now runs as expected.

Terraform Provider v1.12.5 - Improved handling of `turbot_file` updates

Wed, 06 Aug 2025 09:00:00 GMT

_Bug fixes_ - Fixed an issue in the `turbot_file` resource where removed keys in the content field were incorrectly sent as `"key": null` in the update payload. The provider now sends the content exactly as specified in the Terraform configuration, ensuring that only the intended keys appear in the Turbot console.

Turbot Guardrails Enterprise Database (TED) v1.51.1 -Added CPU and memory settings for PgBouncer task

Wed, 06 Aug 2025 09:00:00 GMT

_What's new?_ - Added CPU and memory settings for the PgBouncer task, giving you more control over resource allocation.

azure-storage v5.26.0 - Configure cross-tenant replication for storage accounts

Wed, 06 Aug 2025 09:00:00 GMT

_What's new?_ - You can now configure cross-tenant replication for storage accounts. To get started, set the `Azure > Storage > Storage Account > Cross-Tenant Replication` policy. _Control Types_ - Azure > Storage > Storage Account > Cross-Tenant Replication _Policy Types_ - Azure > Storage > Storage Account > Cross-Tenant Replication _Action Types_ - Azure > Storage > Storage Account > Set Cross-Tenant Replication

azure-sql v5.19.1 - Updated internal Node SDK package to delete SQL resources correctly

Wed, 06 Aug 2025 09:00:00 GMT

_Bug fixes_ - Guardrails previously failed to delete `Azure > SQL > *` resources due to limitations in the internal Node SDK package version. This issue has now been resolved, and the resources will be deleted as expected. - The `Azure > SQL > *` tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

gcp-iam v5.20.0 - Manage role bindings for service accounts

Tue, 05 Aug 2025 09:00:00 GMT

_What's new?_ - You can now manage role bindings for service accounts. To get started, set the `GCP > IAM > Service Account > Role Bindings > *` policies. _Control Types_ - GCP > IAM > Service Account > Role Bindings - GCP > IAM > Service Account > Role Bindings > Approved _Policy Types_ - GCP > IAM > Service Account > Role Bindings - GCP > IAM > Service Account > Role Bindings > Approved - GCP > IAM > Service Account > Role Bindings > Approved > Rules _Action Types_ - GCP > IAM > Service Account > Update Role Bindings

azure-storage v5.25.2 - Diagnostic settings data will now be retrieved accurately for all storage services

Mon, 04 Aug 2025 09:00:00 GMT

_Bug fixes_ - In the previous version, an issue was introduced in the CMDB control for `Azure > Storage > Storage Account` that prevented the retrieval of diagnostic settings. This has now been resolved, and the control successfully processes diagnostic settings for all storage services, including Blob, Table, Queue, and the primary account.

gcp-iam v5.19.0 - Manage role bindings for project users

Fri, 01 Aug 2025 09:00:00 GMT

_What's new?_ - You can now manage role bindings for project users. To get started, set the `GCP > IAM > Project User > Role Bindings > *` policies. _Control Types_ - GCP > IAM > Project User > Role Bindings - GCP > IAM > Project User > Role Bindings > Approved _Policy Types_ - GCP > IAM > Project User > Role Bindings - GCP > IAM > Project User > Role Bindings > Approved - GCP > IAM > Project User > Role Bindings > Approved > Rules _Action Types_ - GCP > IAM > Project User > Update Role Bindings

azure-servicebus v5.5.0 - Network rule set details will now be available in CMDB for namespaces

Fri, 01 Aug 2025 09:00:00 GMT

_What's new?_ - Network rule set details will now be available in CMDB for namespaces.

azure-cisv3-0 v5.0.0 is now available

Fri, 01 Aug 2025 09:00:00 GMT

_What's new?_ _Control Types_ - Azure > CIS v3.0 - Azure > CIS v3.0 > 02 - Identity - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals - Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis - Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' - Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' - Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' - Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure `User consent for applications` is set to `Do not allow user consent` - Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' - Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' - Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist - Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks - Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' - Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment - Azure > CIS v3.0 > 03 - Security - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT - Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services - Azure > CIS v3.0 > 04 - Storage Accounts - Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled' - Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that `Enable Infrastructure Encryption` for Each Storage Account in Azure Storage is Set to `enabled` - Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated - Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour - Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts - Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny - Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) - Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests - Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' - Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled - Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' - Azure > CIS v3.0 > 05 - Database Services - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On' - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days' - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled' - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible - Azure > CIS v3.0 > 06 - Logging & Monitoring - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Azure > CIS v3.0 > 07 - Networking - Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use - Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis - Azure > CIS v3.0 > 08 - Virtual Machines - Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure an Azure Bastion Host Exists - Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks - Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks' - Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked' - Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed - Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed - Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted - Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine - Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines - Azure > CIS v3.0 > 09 - Application Services - Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to `On` - Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service - Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled' - Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption - Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service - Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled' - Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets - Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off' - Azure > CIS v3.0 > 10 - Miscellaneous - Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources _Policy Types_ - Azure > CIS v3.0 - Azure > CIS v3.0 > 02 - Identity - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled - Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API - Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals - Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis - Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' - Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' - Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' - Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure `User consent for applications` is set to `Do not allow user consent` - Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure `User consent for applications` is set to `Do not allow user consent` > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' - Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' - Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' - Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist - Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks - Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' - Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' > Attestation - Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment - Azure > CIS v3.0 > 02 - Identity > Maximum Attestation Duration - Azure > CIS v3.0 > 03 - Security - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High' - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation - Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT - Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > Attestation - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services - Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation - Azure > CIS v3.0 > 03 - Security > Maximum Attestation Duration - Azure > CIS v3.0 > 04 - Storage Accounts - Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled' - Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that `Enable Infrastructure Encryption` for Each Storage Account in Azure Storage is Set to `enabled` - Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated - Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation - Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour - Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation - Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts - Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny - Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) - Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests - Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' - Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled - Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' - Azure > CIS v3.0 > 04 - Storage Accounts > Maximum Attestation Duration - Azure > CIS v3.0 > 05 - Database Services - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On' - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days' - Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled' - Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 5.2.6 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible - Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible > Attestation - Azure > CIS v3.0 > 05 - Database Services > Maximum Attestation Duration - Azure > CIS v3.0 > 06 - Logging & Monitoring - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation - Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Azure > CIS v3.0 > 06 - Logging & Monitoring > Maximum Attestation Duration - Azure > CIS v3.0 > 07 - Networking - Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use - Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis - Azure > CIS v3.0 > 07 - Networking > Maximum Attestation Duration - Azure > CIS v3.0 > 08 - Virtual Machines - Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure Virtual Machines are utilizing Managed Disks - Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks - Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks' - Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked' - Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed - Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed > Attestation - Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed - Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation - Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted - Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted > Attestation - Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine - Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation - Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines - Azure > CIS v3.0 > 08 - Virtual Machines > Maximum Attestation Duration - Azure > CIS v3.0 > 09 - Application Services - Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to `On` - Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service - Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled' - Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption - Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service - Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled' - Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled' > Attestation - Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use) > Attestation - Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use) > Attestation - Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use) > Attestation - Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use) - Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets - Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation - Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off' - Azure > CIS v3.0 > 09 - Application Services > Maximum Attestation Duration - Azure > CIS v3.0 > 10 - Miscellaneous - Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources - Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation - Azure > CIS v3.0 > 10 - Miscellaneous > Maximum Attestation Duration - Azure > CIS v3.0 > Maximum Attestation Duration _Note_ To ensure compatibility and proper functioning of the Guardrails Azure CIS v3 mod, we recommend updating all dependent mods to their latest versions.

github v5.2.0 - Added proxy support for GitHub API requests

Thu, 31 Jul 2025 09:00:00 GMT

_What's new?_ - Added proxy support for GitHub API requests.

azure-storage v5.25.1 - Updated internal Node SDK package to fetch diagnostic settings for storage accounts correctly

Thu, 31 Jul 2025 09:00:00 GMT

_Bug fixes_ - Guardrails previously failed to fetch all `diagnosticSettings` details for storage accounts control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected. Renamed: - `diagnosticSettings.value` to `diagnosticSettings`

azure-keyvault v5.17.1 - Updated internal Node SDK package to fetch diagnostic settings for key vaults correctly

Thu, 31 Jul 2025 09:00:00 GMT

_Bug fixes_ - Guardrails previously failed to fetch all `diagnosticSettings` details for vaults control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.

azure-appservice v5.15.1 - Updated internal Node SDK package to fetch diagnostic settings for web apps correctly

Thu, 31 Jul 2025 09:00:00 GMT

_Bug fixes_ - Guardrails previously failed to fetch all `diagnosticSettings` details for web apps control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.

azure-storage v5.25.0 - Diagnostic settings for blob, queue, and table will now be available in CMDB for storage accounts

Tue, 29 Jul 2025 09:00:00 GMT

_What's new?_ - Diagnostic Settings for blob, queue, and table will now be available in CMDB for storage accounts. - Users can now update access tier to `cold` for storage accounts. To get started, set the `Azure > Storage > Storage Account > Access Tier` policy to `Enforce: Cold`. _Bug fixes_ - The `Azure > Storage > Storage Account > Tags` control will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

azure-compute v5.25.0 - Configure guest configuration extension for virtual machines

Tue, 29 Jul 2025 09:00:00 GMT

_What's new?_ - You can now configure guest configuration extension for virtual machines. To get started, set the `Azure > Compute > Virtual Machine > Extensions > Guest Configuration` policy. _Control Types_ - Azure > Compute > Virtual Machine > Extensions - Azure > Compute > Virtual Machine > Extensions > Guest Configuration _Policy Types_ - Azure > Compute > Virtual Machine > Extensions - Azure > Compute > Virtual Machine > Extensions > Guest Configuration _Action Types_ - Azure > Compute > Virtual Machine > Update Guest Configuration

azure-cisv2-0 v5.2.0 - Added controls for sections 5.01.01, 5.01.02 and 7.01

Tue, 29 Jul 2025 09:00:00 GMT

_What's new?_ - Added controls for sections 5.01.01, 5.01.02 and 7.01. _Control Types_ - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v2.0 > 07 - Virtual Machines > 7.01 - Ensure an Azure Bastion Host Exists _Policy Types_ - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists > Attestation - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.02 - Ensure Diagnostic Setting captures appropriate categories - Azure > CIS v2.0 > 07 - Virtual Machines > 7.01 - Ensure an Azure Bastion Host Exists _Bug fixes_ - CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to `Skip`. This issue has been resolved; such controls will now correctly transition to a skipped state.

aws-s3 v5.32.2 - CMDB data now automatically refreshes when intelligent tiering configurations are removed from the buckets

Fri, 25 Jul 2025 09:00:00 GMT

_Bug fixes_ - The CMDB data for buckets did not refresh automatically when intelligent tiering configurations were removed from the buckets. This issue has now been fixed.

Turbot Guardrails Enterprise Database (TED) v1.51.0 - Added support for PostgreSQL versions 15.9, 15.10, 15.11, 15.12 and 15.13

Thu, 24 Jul 2025 09:00:00 GMT

_What's new?_ - Added support for PostgreSQL version 15.9, 15.10, 15.11, 15.12 and 15.13.

Terraform Provider v1.12.4 - Improved handling of policy pack deletions with attachments

Wed, 23 Jul 2025 09:00:00 GMT

_Bug fixes_ - Resolved a bug where destroying a policy pack via Terraform did not delete the policy pack if it was still attached to resources. The `terraform destroy` command now provides a clear and meaningful error message when such attachments exist. Minimum version requirements: - TE v5.52.1

azure v5.32.0 - Diagnostic settings details will now be available in CMDB for subscriptions

Wed, 23 Jul 2025 09:00:00 GMT

_What's new?_ - Diagnostic Settings details will now be available in CMDB for Subscriptions.

Turbot Guardrails Enterprise (TE) v5.52.1 - Enhancements and fixes to improve core system reliability

Tue, 22 Jul 2025 09:00:00 GMT

_What's new?_ - Server - Introduced `LAMBDA_IN_VPC_GITHUB` flag to enable deployment of GitHub mod lambdas inside a VPC. _Bug Fixes_ - Server - Optimized mod type installation to distribute event execution more evenly over time, minimizing the risk of throttling. - Fixed an issue where controls or actions could get stuck if their notification templates were empty or failed to render correctly. - The Delete Policy Pack API now throws a clear error when attempting to delete a policy pack that still has attached resources. - The maintenance container now ensures the index_list table is populated with any missing indexes, improving database reliability. - Unused Lambda functions are now correctly deleted when no aliases remain. _Note_ Upgrade to `5.52.1` requires your workspace to be on `5.51.x`; direct upgrades from older versions (e.g., 5.49.x) will fail. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-network v5.26.0 - Track and manage bastion hosts in CMDB

Tue, 22 Jul 2025 09:00:00 GMT

_What's new?_ - Resource Types: - Azure > Network > Bastion Host - Control Types: - Azure > Network > Bastion Host > Active - Azure > Network > Bastion Host > CMDB - Azure > Network > Bastion Host > Discovery - Azure > Network > Bastion Host > Tags - Policy Types: - Azure > Network > Bastion Host > Active - Azure > Network > Bastion Host > Active > Age - Azure > Network > Bastion Host > Active > Last Modified - Azure > Network > Bastion Host > CMDB - Azure > Network > Bastion Host > Regions - Azure > Network > Bastion Host > Tags - Azure > Network > Bastion Host > Tags > Template - Action Types: - Azure > Network > Bastion Host > Delete - Azure > Network > Bastion Host > Router - Azure > Network > Bastion Host > Set Tags

azure-compute v5.24.0 - HyperVGeneration details will now be available in the CMDB for virtual machines

Tue, 22 Jul 2025 09:00:00 GMT

_What's new?_ - `HyperVGeneration` details will now be available in the CMDB for Virtual Machines.

azure-activedirectory v5.9.0 - Conditional access policy and directory role details will now be available in CMDB for directories

Tue, 22 Jul 2025 09:00:00 GMT

_What's new?_ - `Conditional Access Policy` and `Directory Role` details will now be available in CMDB for Directories. _Action Types_ - Azure > Active Directory > Directory > Router

aws-bedrock v5.1.0 - Various new resource types for Bedrock are now available

Tue, 22 Jul 2025 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > Bedrock > Agent - AWS > Bedrock > Custom Model - AWS > Bedrock > Foundation Model - AWS > Bedrock > Imported Model - AWS > Bedrock > Knowledge Base - AWS > Bedrock > Settings - Control Types: - AWS > Bedrock > Agent > Active - AWS > Bedrock > Agent > CMDB - AWS > Bedrock > Agent > Discovery - AWS > Bedrock > Agent > Tags - AWS > Bedrock > Custom Model > Active - AWS > Bedrock > Custom Model > CMDB - AWS > Bedrock > Custom Model > Discovery - AWS > Bedrock > Custom Model > Tags - AWS > Bedrock > Foundation Model > CMDB - AWS > Bedrock > Foundation Model > Discovery - AWS > Bedrock > Imported Model > Active - AWS > Bedrock > Imported Model > CMDB - AWS > Bedrock > Imported Model > Discovery - AWS > Bedrock > Imported Model > Tags - AWS > Bedrock > Knowledge Base > Active - AWS > Bedrock > Knowledge Base > CMDB - AWS > Bedrock > Knowledge Base > Discovery - AWS > Bedrock > Knowledge Base > Tags - AWS > Bedrock > Settings > CMDB - AWS > Bedrock > Settings > Discovery - AWS > Bedrock > Settings > Model Invocation Logging Configuration - Policy Types: - AWS > Bedrock > Agent > Active - AWS > Bedrock > Agent > Active > Age - AWS > Bedrock > Agent > Active > Last Modified - AWS > Bedrock > Agent > CMDB - AWS > Bedrock > Agent > Regions - AWS > Bedrock > Agent > Tags - AWS > Bedrock > Agent > Tags > Template - AWS > Bedrock > Custom Model > Active - AWS > Bedrock > Custom Model > Active > Age - AWS > Bedrock > Custom Model > Active > Last Modified - AWS > Bedrock > Custom Model > CMDB - AWS > Bedrock > Custom Model > Regions - AWS > Bedrock > Custom Model > Tags - AWS > Bedrock > Custom Model > Tags > Template - AWS > Bedrock > Foundation Model > CMDB - AWS > Bedrock > Foundation Model > Regions - AWS > Bedrock > Imported Model > Active - AWS > Bedrock > Imported Model > Active > Age - AWS > Bedrock > Imported Model > Active > Last Modified - AWS > Bedrock > Imported Model > CMDB - AWS > Bedrock > Imported Model > Regions - AWS > Bedrock > Imported Model > Tags - AWS > Bedrock > Imported Model > Tags > Template - AWS > Bedrock > Knowledge Base > Active - AWS > Bedrock > Knowledge Base > Active > Age - AWS > Bedrock > Knowledge Base > Active > Last Modified - AWS > Bedrock > Knowledge Base > CMDB - AWS > Bedrock > Knowledge Base > Regions - AWS > Bedrock > Knowledge Base > Tags - AWS > Bedrock > Knowledge Base > Tags > Template - AWS > Bedrock > Settings > CMDB - AWS > Bedrock > Settings > Model Invocation Logging Configuration - AWS > Bedrock > Settings > Model Invocation Logging Configuration > Data Delivery - AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination - AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > CloudWatch Log Group Name - AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > S3 Location - AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > S3 Location for Large Data Delivery - AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > Service Role ARN - AWS > Bedrock > Settings > Regions - AWS > Bedrock > Tags Template [Default] - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-bedrock - Action Types: - AWS > Bedrock > Agent > Delete - AWS > Bedrock > Agent > Router - AWS > Bedrock > Agent > Update Tags - AWS > Bedrock > Custom Model > Delete - AWS > Bedrock > Custom Model > Router - AWS > Bedrock > Custom Model > Update Tags - AWS > Bedrock > Imported Model > Delete - AWS > Bedrock > Imported Model > Router - AWS > Bedrock > Imported Model > Update Tags - AWS > Bedrock > Knowledge Base > Delete - AWS > Bedrock > Knowledge Base > Router - AWS > Bedrock > Knowledge Base > Update Tags - AWS > Bedrock > Settings > Router - AWS > Bedrock > Settings > Update Model Invocation Logging Configuration

aws-apigateway v5.12.2 - Real-time events for stage resources will now be processed more reliably

Mon, 21 Jul 2025 09:00:00 GMT

_Bug fixes_ - In previous versions, `apigateway:CreateDeployment` events were processed without validating the required stageName parameter, which could result in invalid stage resources in the CMDB. This issue is now fixed.

aws-apigateway v5.12.1 - Enhanced real-time event handling for stage resources to accurately process events when a web ACL is attached

Fri, 18 Jul 2025 09:00:00 GMT

_Bug fixes_ - Resolved an issue with real-time event handling for `AWS > API Gateway > Stage` resources. Specifically, Guardrails was previously not receiving events when a Web ACL was attached to an API Gateway stage. This has now been fixed, and events for such actions are processed as expected.

gcp-network v5.16.0 - Configure private google access for subnetworks

Fri, 11 Jul 2025 09:00:00 GMT

_What's new?_ - Users can now configure the private google access settings for subnetworks. To get started, set the `GCP > Network > Subnetwork > Private Google Access` policy. _Control Types_ - GCP > Network > Subnetwork > Private Google Access _Policy Types_ - GCP > Network > Subnetwork > Private Google Access _Action Types_ - GCP > Network > Subnetwork > Set Private Google Access

gcp-dns v5.9.1 - Managed zone Labels control now correctly applies labels according to the template policy

Fri, 11 Jul 2025 09:00:00 GMT

_Bug fixes_ - Previously, `GCP > DNS > Managed Zone > Labels` control would fail when attempting to update labels on private DNS zones that were linked to a Service Directory namespace. This was caused by the control attempting to modify the `serviceDirectoryConfig` field, which is not allowed by the Google Cloud DNS API and resulted in an error. This issue has now been resolved.

aws-dynamodb v5.16.0 - Manage trusted access for tables

Fri, 11 Jul 2025 09:00:00 GMT

_What's new?_ - Users can now manage trusted access for tables. To get started, set the `AWS > DynamoDB > Table > Policy > Trusted Access > *` policies. - Resource policy details will now be available in CMDB for tables. _Control Types_ - AWS > DynamoDB > Table > Policy - AWS > DynamoDB > Table > Policy > Trusted Access _Policy Types_ - AWS > DynamoDB > Table > Policy - AWS > DynamoDB > Table > Policy > Trusted Access - AWS > DynamoDB > Table > Policy > Trusted Access > Accounts - AWS > DynamoDB > Table > Policy > Trusted Access > CloudFront Origin Access Identities - AWS > DynamoDB > Table > Policy > Trusted Access > Organization Restrictions - AWS > DynamoDB > Trusted Accounts [Default] - AWS > DynamoDB > Trusted Organizations [Default] _Action Types_ - AWS > DynamoDB > Table > Set Policy Trusted Access

gcp-computeengine v5.22.0 - Real time events are now processed for the regional disks

Mon, 07 Jul 2025 09:00:00 GMT

_What's new?_ - Added support to process real-time events for `GCP > Compute Engine > Region Disk`. _Action Types_ - GCP > Compute Engine > Region Disk > Router

aws-ec2 v5.46.1 - Removed dependency on workspace version policy for custom event patterns

Mon, 07 Jul 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2` policy previously depended on the `Turbot > Workspace > Workspace Version` policy, causing Event Handlers to run after a TE update. This dependency has been safely removed, improving the overall efficiency of the workspace.

azure-postgresql v5.20.0 - Configure Intelligent Assessment control for dynamic, context-aware resource assessments

Thu, 03 Jul 2025 09:00:00 GMT

_What's new?_ - You can now use the `Intelligent Assessment` control, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the `Intelligent Assessment > *` policies. _Control Types_ - Azure > PostgreSQL > Flexible Server > Intelligent Assessment _Policy Types_ - Azure > PostgreSQL > Flexible Server > Intelligent Assessment - Azure > PostgreSQL > Flexible Server > Intelligent Assessment > Context - Azure > PostgreSQL > Flexible Server > Intelligent Assessment > User Prompt

aws-events v5.15.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls

Thu, 03 Jul 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` controls.

gcp v5.32.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Wed, 02 Jul 2025 09:00:00 GMT

gcp-pubsub v5.11.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Wed, 02 Jul 2025 09:00:00 GMT

gcp-logging v5.7.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Wed, 02 Jul 2025 09:00:00 GMT

gcp-bigquerydatatransfer v5.2.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment control

Wed, 02 Jul 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` control.

gcp-bigquery v5.9.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls

Wed, 02 Jul 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` controls.

gcp-appengine v5.5.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Wed, 02 Jul 2025 09:00:00 GMT

azure v5.31.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Tue, 01 Jul 2025 09:00:00 GMT

aws v5.38.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Tue, 01 Jul 2025 09:00:00 GMT

aws-cloudwatch v5.11.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment control

Tue, 01 Jul 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` control.

aws-apigateway v5.12.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Tue, 01 Jul 2025 09:00:00 GMT

Turbot Guardrails Enterprise Foundation (TEF) v1.68.0 - Added support for PgBouncer

Mon, 30 Jun 2025 09:00:00 GMT

_What's new?_ - Workspace Manager can now access log buckets encrypted with customer-managed KMS keys, improving support for secure logging setups. - The initial setup for PgBouncer support is now available. When enabled, the stack automatically creates the networking and discovery components—like Security Groups and CloudMap—needed for PgBouncer to work.

Turbot Guardrails Enterprise Database (TED) v1.50.0 - Support for PgBouncer and Valkey now available

Mon, 30 Jun 2025 09:00:00 GMT

_What's new?_ - PgBouncer support is now available. - Support for Valkey has been introduced, offering a simpler and more cost-effective option than Redis. _PgBouncer_ PgBouncer support has been introduced to improve database connection efficiency through lightweight connection pooling. This enhancement benefits high-throughput environments by reducing the overhead of frequent PostgreSQL connections. Minimum version requirements: - TE v5.52.0 - TEF v1.68.0 - TED v1.50.0

Turbot Guardrails Enterprise (TE) v5.52.0 - Introduced AI-Powered control remediation steps and policy pack summary

Mon, 30 Jun 2025 09:00:00 GMT

_What's new?_ - Server - Introduced a new GraphQL resolver that generates AI-driven remediation steps for controls. - UI - Enhanced the UI to display AI-generated remediation steps within the control details view. - Added a summary view to the UI for Policy Packs to provide a quick overview of key settings. _Note_ Upgrade to `5.52.0` requires your workspace to be on `5.51.x`; direct upgrades from older versions (e.g., 5.49.x) will fail. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-storage v5.13.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Mon, 30 Jun 2025 09:00:00 GMT

gcp-iam v5.18.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Mon, 30 Jun 2025 09:00:00 GMT

gcp-functions v5.10.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls

Mon, 30 Jun 2025 09:00:00 GMT

aws-vpc-connect v5.11.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Mon, 30 Jun 2025 09:00:00 GMT

aws-sqs v5.18.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment control

Mon, 30 Jun 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` control.

aws-sns v5.18.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls

Mon, 30 Jun 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` controls.

aws-s3 v5.32.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls

Mon, 30 Jun 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` controls.

aws-lambda v5.15.1 - Improved handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls

Mon, 30 Jun 2025 09:00:00 GMT

_Bug fixes_ - Improved the internal handling of user prompts and updated GraphQL dependencies for the `Intelligent Assessment` controls.

aws-ec2 v5.46.0 - Configure Intelligent Assessment controls for dynamic, context-aware resource assessments

Mon, 30 Jun 2025 09:00:00 GMT

_What's new?_ - You can now use the `Intelligent Assessment` controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the `Intelligent Assessment > *` policies. _Control Types_ - AWS > EC2 > AMI > Intelligent Assessment - AWS > EC2 > Account Attributes > Intelligent Assessment - AWS > EC2 > Application Load Balancer > Intelligent Assessment - AWS > EC2 > Auto Scaling Group > Intelligent Assessment - AWS > EC2 > Classic Load Balancer > Intelligent Assessment - AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment - AWS > EC2 > Gateway Load Balancer > Intelligent Assessment - AWS > EC2 > Instance > Intelligent Assessment - AWS > EC2 > Key Pair > Intelligent Assessment - AWS > EC2 > Launch Configuration > Intelligent Assessment - AWS > EC2 > Launch Template > Intelligent Assessment - AWS > EC2 > Launch Template Version > Intelligent Assessment - AWS > EC2 > Listener Rule > Intelligent Assessment - AWS > EC2 > Load Balancer Listener > Intelligent Assessment - AWS > EC2 > Network Interface > Intelligent Assessment - AWS > EC2 > Network Load Balancer > Intelligent Assessment - AWS > EC2 > Snapshot > Intelligent Assessment - AWS > EC2 > Target Group > Intelligent Assessment - AWS > EC2 > Volume > Intelligent Assessment _Policy Types_ - AWS > EC2 > AMI > Intelligent Assessment - AWS > EC2 > AMI > Intelligent Assessment > Context - AWS > EC2 > AMI > Intelligent Assessment > User Prompt - AWS > EC2 > Account Attributes > Intelligent Assessment - AWS > EC2 > Account Attributes > Intelligent Assessment > Context - AWS > EC2 > Account Attributes > Intelligent Assessment > User Prompt - AWS > EC2 > Application Load Balancer > Intelligent Assessment - AWS > EC2 > Application Load Balancer > Intelligent Assessment > Context - AWS > EC2 > Application Load Balancer > Intelligent Assessment > User Prompt - AWS > EC2 > Auto Scaling Group > Intelligent Assessment - AWS > EC2 > Auto Scaling Group > Intelligent Assessment > Context - AWS > EC2 > Auto Scaling Group > Intelligent Assessment > User Prompt - AWS > EC2 > Classic Load Balancer > Intelligent Assessment - AWS > EC2 > Classic Load Balancer > Intelligent Assessment > Context - AWS > EC2 > Classic Load Balancer > Intelligent Assessment > User Prompt - AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment - AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment > Context - AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment > User Prompt - AWS > EC2 > Gateway Load Balancer > Intelligent Assessment - AWS > EC2 > Gateway Load Balancer > Intelligent Assessment > Context - AWS > EC2 > Gateway Load Balancer > Intelligent Assessment > User Prompt - AWS > EC2 > Instance > Intelligent Assessment - AWS > EC2 > Instance > Intelligent Assessment > Context - AWS > EC2 > Instance > Intelligent Assessment > User Prompt - AWS > EC2 > Key Pair > Intelligent Assessment - AWS > EC2 > Key Pair > Intelligent Assessment > Context - AWS > EC2 > Key Pair > Intelligent Assessment > User Prompt - AWS > EC2 > Launch Configuration > Intelligent Assessment - AWS > EC2 > Launch Configuration > Intelligent Assessment > Context - AWS > EC2 > Launch Configuration > Intelligent Assessment > User Prompt - AWS > EC2 > Launch Template > Intelligent Assessment - AWS > EC2 > Launch Template > Intelligent Assessment > Context - AWS > EC2 > Launch Template > Intelligent Assessment > User Prompt - AWS > EC2 > Launch Template Version > Intelligent Assessment - AWS > EC2 > Launch Template Version > Intelligent Assessment > Context - AWS > EC2 > Launch Template Version > Intelligent Assessment > User Prompt - AWS > EC2 > Listener Rule > Intelligent Assessment - AWS > EC2 > Listener Rule > Intelligent Assessment > Context - AWS > EC2 > Listener Rule > Intelligent Assessment > User Prompt - AWS > EC2 > Load Balancer Listener > Intelligent Assessment - AWS > EC2 > Load Balancer Listener > Intelligent Assessment > Context - AWS > EC2 > Load Balancer Listener > Intelligent Assessment > User Prompt - AWS > EC2 > Network Interface > Intelligent Assessment - AWS > EC2 > Network Interface > Intelligent Assessment > Context - AWS > EC2 > Network Interface > Intelligent Assessment > User Prompt - AWS > EC2 > Network Load Balancer > Intelligent Assessment - AWS > EC2 > Network Load Balancer > Intelligent Assessment > Context - AWS > EC2 > Network Load Balancer > Intelligent Assessment > User Prompt - AWS > EC2 > Snapshot > Intelligent Assessment - AWS > EC2 > Snapshot > Intelligent Assessment > Context - AWS > EC2 > Snapshot > Intelligent Assessment > User Prompt - AWS > EC2 > Target Group > Intelligent Assessment - AWS > EC2 > Target Group > Intelligent Assessment > Context - AWS > EC2 > Target Group > Intelligent Assessment > User Prompt - AWS > EC2 > Volume > Intelligent Assessment - AWS > EC2 > Volume > Intelligent Assessment > Context - AWS > EC2 > Volume > Intelligent Assessment > User Prompt

turbot v5.54.2 - Improved system prompts for Intelligent Assessment, Intelligent Fixes and Policy Pack Summary

Fri, 27 Jun 2025 09:00:00 GMT

_What's new?_ - Improved system prompts for Intelligent Assessment, Intelligent Fixes and Policy Pack Summary. _Requirements_ - TE: 5.35.4

Terraform Provider v1.12.3 - Terraform SAML directory updates now processed correctly

Wed, 25 Jun 2025 09:00:00 GMT

_Bug fixes_ - Fixed an issue where SAML directory certificate updates applied via Terraform appeared successful but did not persist in the backend. These updates are now correctly processed and retained. - Resolved an issue where the log message for policySetting resources was unclear when attempting to create policy settings for non-existent or uninstalled policy types. The log output is now more informative and precise.

turbot v5.54.1 - Improved system prompt for Intelligent Assessment control

Tue, 24 Jun 2025 09:00:00 GMT

_What's new?_ - Improved `Turbot > AI > Control > Intelligent Assessment > System Prompt` policy for better responses from the AI provider. - Updated the default value for `Turbot > AI > Configuration > Max Tokens [Default]` policy to 1000. _Requirements_ - TE: 5.35.4

turbot v5.54.0 - AI-generated Policy Pack summaries are now available

Tue, 24 Jun 2025 09:00:00 GMT

_What's new?_ - AI-generated Policy Pack summaries are now available. To get started, set the `Turbot > AI > Policy Pack > *` policies. __Control Types__ - Turbot > Policy Pack > Summary _Requirements_ - TE: 5.35.4

Configure Intelligent Assessment controls for dynamic, context-aware resource assessments for 15 mods

Tue, 24 Jun 2025 09:00:00 GMT

_What's new?_ - The following 15 mods now have the `Intelligent Assessment` control(s), which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. - aws-backup `v5.13.0` - aws-cloudwatch `v5.11.0` - aws-directconnect `v5.6.0` - aws-dynamodb `v5.15.0` - aws-events `v5.15.0` - aws-kms `v5.20.0` - aws-lambda `v5.15.0` - aws-route53 `v6.8.0` - aws-s3 `v5.32.0` - aws-sns `v5.18.0` - aws-sqs `v5.18.0` - aws-vpc-core `v5.22.0` - gcp-bigquery `v5.9.0` - gcp-bigquerydatatransfer `v5.2.0` - gcp-functions `v5.10.0`

Turbot Guardrails Enterprise (TE) v5.51.8 - Version bump to align with deployment requirements

Mon, 23 Jun 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise Foundation (TEF) v1.67.0 - Enhanced EC2 customization: launch template tags, encrypted AMI support, and dynamic user data via SSM

Fri, 20 Jun 2025 09:00:00 GMT

_What's new?_ - Added support for five optional EC2 Launch Template tags (LaunchTemplateTag1–LaunchTemplateTag5) via SSM parameters. These tags are automatically applied to EC2 instances, EBS volumes, and network interfaces for improved resource classification and automation. - Introduced the `AmiKmsKeyArn` parameter to allow specifying a custom AWS KMS Key ARN for encrypting EBS volumes attached to EC2 instances. This enables support for custom encrypted AMIs. - Added a new `EC2InstanceCustomUserData` parameter that appends additional UserData from SSM. This allows for dynamic EC2 initialization without needing changes to the CloudFormation template.

Turbot Guardrails Enterprise (TE) v5.51.7 - Version bump to align with deployment requirements

Fri, 20 Jun 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot v5.53.0 - Bring your own AI to Guardrails

Fri, 20 Jun 2025 09:00:00 GMT

_What's new?_ - You can now configure your preferred provider to use AI capabilities in your workspace. __Policy Types__ - Turbot > AI - Turbot > AI > Configuration - Turbot > AI > Configuration > API Key [Default] - Turbot > AI > Configuration > Enabled [Default] - Turbot > AI > Configuration > Max Tokens [Default] - Turbot > AI > Configuration > Model [Default] - Turbot > AI > Configuration > Provider [Default] - Turbot > AI > Configuration > Temperature [Default] - Turbot > AI > Control - Turbot > AI > Control > Intelligent Assessment - Turbot > AI > Control > Intelligent Assessment > Enabled - Turbot > AI > Control > Intelligent Assessment > System Prompt - Turbot > AI > Control > Intelligent Fixes - Turbot > AI > Control > Intelligent Fixes > Enabled - Turbot > AI > Control > Intelligent Fixes > System Prompt - Turbot > AI > Policy Pack - Turbot > AI > Policy Pack > Summary - Turbot > AI > Policy Pack > Summary > Enabled - Turbot > AI > Policy Pack > Summary > System Prompt __Control Categories__ - Resource > Allowed - Resource > Intelligent Assessment _Requirements_ - TE: 5.35.4

azure-storage v5.23.0 - Configure shared key access for storage accounts

Thu, 19 Jun 2025 09:00:00 GMT

_What's new?_ - You can now configure shared key access for storage accounts. To get started, set the `Azure > Storage > Storage Account > Shared Key Access` policy. _Control Types_ - Azure > Storage > Storage Account > Shared Key Access _Policy Types_ - Azure > Storage > Storage Account > Shared Key Access _Action Types_ - Azure > Storage > Storage Account > Set Shared Key Access

aws-cisv3-0 v5.0.5 - Controls 3.08 and 3.09 will now evaluate the outcome correctly

Wed, 18 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket` control previously failed to evaluate correctly when there were more than one `FieldSelectors` present under `AdvancedEventSelectors`. This issue is now fixed. - The `AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket` control has been enhanced to evaluate both `EventSelectors` and `AdvancedEventSelectors` when determining whether object-level logging is enabled. Previously, the control evaluated only `EventSelectors`, which could result in false alarms when logging was configured using `AdvancedEventSelectors`.

aws-cisv2-0 v5.0.4 - Controls 3.10 and 3.11 will now evaluate the outcome correctly

Wed, 18 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket` control previously failed to evaluate correctly when there were more than one `FieldSelectors` present under `AdvancedEventSelectors`. This issue is now fixed. - The `AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket` control has been enhanced to evaluate both `EventSelectors` and `AdvancedEventSelectors` when determining whether object-level logging is enabled. Previously, the control evaluated only `EventSelectors`, which could result in false alarms when logging was configured using `AdvancedEventSelectors`.

aws-cisv1-4 v5.0.9 - Controls 3.10 and 3.11 will now evaluate the outcome correctly

Wed, 18 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)` control previously failed to evaluate correctly when there were more than one `FieldSelectors` present under `AdvancedEventSelectors`. This issue is now fixed. - The `AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)` control has been enhanced to evaluate both `EventSelectors` and `AdvancedEventSelectors` when determining whether object-level logging is enabled. Previously, the control evaluated only `EventSelectors`, which could result in false alarms when logging was configured using `AdvancedEventSelectors`.

Turbot Guardrails Enterprise (TE) v5.51.6 - Version bump to align with deployment requirements

Mon, 16 Jun 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-kms v5.19.1 - Policy Statements > Approved control will now be skipped for AWS-managed keys

Fri, 13 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > KMS > Key > Policy Statements > Approved` control will now be skipped for AWS-managed KMS keys.

aws-cisv3-0 v5.0.4 - `3.08 Ensure that Object-level logging for write events is enabled for S3 bucket` control will now evaluate the outcome correctly

Fri, 13 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket` control has been enhanced to evaluate both `EventSelectors` and `AdvancedEventSelectors` when determining whether object-level logging is enabled. Previously, the control evaluated only `EventSelectors`, which could result in false alarms when logging was configured using `AdvancedEventSelectors`.

Turbot Guardrails Enterprise (TE) v5.51.5 - Fixed access issue in policy pack management.

Thu, 12 Jun 2025 09:00:00 GMT

_Bug fixes_ - Server - Fixed access issue in policy pack management. - UI - Fixed an issue where importing a GCP Organization via the UI did not automatically create the required `Private Key` setting. _Security Updates_ Fixed access issue in policy pack management In version 5.51.3, a security issue was introduced that mistakenly allowed users with any `Turbot/*` permissions — at the `Turbot` level, when using the API — to: - Create or update policy associations within a policy pack - Delete a policy pack if it was not attached to any resource This has now been fixed, and the correct permission model has been restored — only users with `Turbot/Admin` permissions can perform these operations. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-cloudtrail v5.12.1 - CMDB data now accurately refreshes the state of `EventSelectors` and `AdvancedEventSelectors` trail configurations

Thu, 12 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CloudTrail > Trail > CMDB` control has been updated to correctly refresh the `EventSelectors` and `AdvancedEventSelectors` details when these settings are removed in AWS. This update ensures that the CMDB data accurately reflects the current state of the trail configuration.

aws-cisv2-0 v5.0.3 - `3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket` control will now evaluate the outcome correctly

Thu, 12 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket` control has been enhanced to evaluate both `EventSelectors` and `AdvancedEventSelectors` when determining whether object-level logging is enabled. Previously, the control evaluated only `EventSelectors`, which could result in false alarms when logging was configured using `AdvancedEventSelectors`.

aws-cisv1-4 v5.0.8 - `3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)` control will now evaluate the outcome correctly

Thu, 12 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)` control has been enhanced to evaluate both `EventSelectors` and `AdvancedEventSelectors` when determining whether object-level logging is enabled. Previously, the control evaluated only `EventSelectors`, which could result in false alarms when logging was configured using `AdvancedEventSelectors`.

aws-ec2 v5.45.2 - Real-time event handling for load balancer listener has been enhanced to accurately populate `createTimestamp` and `createdBy` details in the metadata

Tue, 10 Jun 2025 09:00:00 GMT

_Bug fixes_ - Load Balancer listeners upserted in Guardrails along with their parent Load Balancers occasionally lacked `createTimestamp` and `createdBy` metadata. This omission caused the `AWS > EC2 > Load Balancer Listener > Approved` control to evaluate incorrectly. We have enhanced our real-time event handling to ensure metadata is accurately populated in such scenarios.

Turbot Guardrails Enterprise (TE) v5.51.4 - Added support for custom webhook URLs in notifications

Thu, 05 Jun 2025 09:00:00 GMT

_What's new?_ - Server - Added support for custom webhook URLs in notifications, allowing integration with any third-party systems beyond Slack and Microsoft Teams. - ECS tasks now include no-new-privileges for enhanced security posture. _Bug fixes_ - Server - Email notifications now list recipients in the To field instead of BCC for improved clarity. - Resolved an issue where resource-level policy settings could fail when a large number of policy packs were attached. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot v5.52.0 - Added support for generic webhooks in notifications

Thu, 05 Jun 2025 09:00:00 GMT

_What's new?_ - Policy Types: - Turbot > Notifications > Webhook - Turbot > Notifications > Webhook > Authorization Header - Turbot > Notifications > Webhook > Action Template - Turbot > Notifications > Webhook > Action Template > Body - Turbot > Notifications > Webhook > Control Template - Turbot > Notifications > Webhook > Control Template > Body _Requirements_ - TE: 5.35.4

aws-s3table v5.0.0 is now available

Thu, 05 Jun 2025 09:00:00 GMT

_Resource Types_ - AWS > S3 Table - AWS > S3 Table > Namespace - AWS > S3 Table > Table - AWS > S3 Table > Table Bucket _Control Types_ - AWS > S3 Table > Namespace > Active - AWS > S3 Table > Namespace > CMDB - AWS > S3 Table > Namespace > Discovery - AWS > S3 Table > Table > Active - AWS > S3 Table > Table > CMDB - AWS > S3 Table > Table > Discovery - AWS > S3 Table > Table Bucket > Active - AWS > S3 Table > Table Bucket > CMDB - AWS > S3 Table > Table Bucket > Discovery - AWS > S3 Table > Table Bucket > Policy - AWS > S3 Table > Table Bucket > Policy > Trusted Access _Policy Types_ - AWS > S3 Table > API Enabled - AWS > S3 Table > Approved Regions [Default] - AWS > S3 Table > Enabled - AWS > S3 Table > Namespace > Active - AWS > S3 Table > Namespace > Active > Age - AWS > S3 Table > Namespace > Active > Last Modified - AWS > S3 Table > Namespace > CMDB - AWS > S3 Table > Namespace > Regions - AWS > S3 Table > Permissions - AWS > S3 Table > Permissions > Levels - AWS > S3 Table > Permissions > Levels > Modifiers - AWS > S3 Table > Permissions > Lockdown - AWS > S3 Table > Permissions > Lockdown > API Boundary - AWS > S3 Table > Regions - AWS > S3 Table > Table > Active - AWS > S3 Table > Table > Active > Age - AWS > S3 Table > Table > Active > Last Modified - AWS > S3 Table > Table > CMDB - AWS > S3 Table > Table > Regions - AWS > S3 Table > Table Bucket > Active - AWS > S3 Table > Table Bucket > Active > Age - AWS > S3 Table > Table Bucket > Active > Last Modified - AWS > S3 Table > Table Bucket > CMDB - AWS > S3 Table > Table Bucket > Policy - AWS > S3 Table > Table Bucket > Policy > Trusted Access - AWS > S3 Table > Table Bucket > Policy > Trusted Access > Accounts - AWS > S3 Table > Table Bucket > Regions - AWS > S3 Table > Trusted Accounts [Default] - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-s3table - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-s3table - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3table _Action Types_ - AWS > S3 Table > Namespace > Delete - AWS > S3 Table > Table > Delete - AWS > S3 Table > Table Bucket > Delete - AWS > S3 Table > Table Bucket > Set Policy Trusted Access

Turbot Guardrails Enterprise Database (TED) v1.49.0 - Added PostgreSQL 17

Wed, 04 Jun 2025 09:00:00 GMT

_What's new?_ - Added support for PostgreSQL 17, including the new hive parameter group.

aws-sns v5.17.1 - Cross-account subscriptions will no longer be upserted into Guardrails CMDB to prevent the CMDB control from entering an error state

Wed, 04 Jun 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > SNS > Subscription > CMDB` control previously entered an error state for cross-account subscriptions upserted in Guardrails CMDB. These subscriptions will no longer be upserted into CMDB, preventing the control from entering an error state. - The `AWS > SNS > Subscription > CMDB` control did not automatically re-run when a subscription was in the `PendingConfirmation` state. This issue has now been resolved.

aws-vpc-security v5.13.0 - Configure CMDB policy for flow logs at VPC, subnet, or network interface level

Mon, 02 Jun 2025 09:00:00 GMT

_What's new?_ - The `AWS > VPC > Flow Log > CMDB` policy now also targets the `AWS > VPC > VPC`, `AWS > VPC > Subnet`, and `AWS > EC2 > Network Interface` resource types, enabling more granular policy setting options.

servicenow-azure-sql v5.2.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-networkwatcher v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-network v5.5.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-monitor v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-keyvault v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-datafactory v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-cosmosdb v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-compute v5.3.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-appservice v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 27 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

azure-compute v5.21.1 - Discovery control for disks will no longer be triggered unnecessarily by the virtual machine CMDB control

Tue, 27 May 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Compute > Virtual Machine > CMDB` control previously triggered the `Azure > Compute > Disk > Discovery` control on the VM's resource group, resulting in unnecessary control re-runs within the workspace. We've now improved the VM's CMDB control to prevent such unnecessary re-runs.

servicenow-kubernetes v5.6.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

servicenow-azure-synapseanalytics v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-storage v5.5.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-servicebus v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-recoveryservice v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-postgresql v5.2.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-mysql v5.2.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-loganalytics v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-iam v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-activedirectory v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 26 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure v5.7.0 - Lambda runtimes now powered by Node 22

Fri, 23 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-searchmanagement v5.1.0 - Lambda runtimes now powered by Node 22

Fri, 23 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-loadbalancer v5.1.0 - Lambda runtimes now powered by Node 22

Fri, 23 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

Turbot Guardrails Enterprise (TE) v5.51.3 - Resolved a crash in policy setting expiration control

Thu, 22 May 2025 09:00:00 GMT

_Bug fixes_ - Server - Resolved a crash in policy setting expiration control. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

osquery v5.1.0 - Lambda runtimes now powered by Node 22

Thu, 22 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Turbot Guardrails Enterprise (TE) v5.51.2 - Resolved an issue that was preventing users from creating new workspace

Wed, 21 May 2025 09:00:00 GMT

_Bug fixes_ - Server - Resolved an issue that was preventing users from creating new workspace. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-azure-securitycenter v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 21 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-relay v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 20 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-dns v5.1.0 - Lambda runtimes now powered by Node 22

Tue, 20 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

Turbot Guardrails Enterprise (TE) v5.51.1 - Fixed a permission issue affecting visibility of policy packs

Mon, 19 May 2025 09:00:00 GMT

_Bug fixes_ - Server - Fixed a permission issue affecting visibility of policy packs. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-azure-sqlvirtualmachine v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 19 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-signalr v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 19 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-applicationgateway v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 19 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-apimanagement v5.1.0 - Lambda runtimes now powered by Node 22

Mon, 19 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-aks v5.2.0 - Lambda runtimes now powered by Node 22

Mon, 19 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

aws-iam v5.43.0 - Configure active control for virtual MFA devices based on their age

Mon, 19 May 2025 09:00:00 GMT

_What's new?_ - You can now configure the `AWS > IAM > MFA Virtual > Active` control for virtual MFA devices based on their age. To get started, set the `AWS > IAM > MFA Virtual > Active > Age` policy. As part of this enhancement, a new value of `45 days` has been applied to all relevant Active policies. _Policy Types_ - AWS > IAM > MFA Virtual > Active > Age _Action Types_ - AWS > IAM > MFA Virtual > Delete

servicenow-azure-frontdoorservice v5.1.0 - Lambda runtimes now powered by Node 22

Fri, 16 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-firewall v5.1.0 - Lambda runtimes now powered by Node 22

Fri, 16 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-databricks v5.1.0 - Lambda runtimes now powered by Node 22

Fri, 16 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-automation v5.1.0 - Lambda runtimes now powered by Node 22

Fri, 16 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-azure-applicationinsights v5.1.0 - Lambda runtimes now powered by Node 22

Fri, 16 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

Turbot Guardrails Enterprise (TE) v5.51.0 - Users can now see all policy packs defined within the resource hierarchy where they have access

Thu, 15 May 2025 09:00:00 GMT

_What's new?_ - Server - Introduced support for initializing a new encryption key baseline for workspaces. - Users can now see all policy packs defined within the resource hierarchy where they have access, providing clearer insight into inherited policies. - UI - The page title now dynamically includes the workspace name, helping users distinguish tabs when working across multiple environments. _Bug fixes_ - Server - Refined the backup flow for tenant master keys, improving error handling, increasing stability. _Note_ This is a checkpoint version. Guardrails must be updated to **v5.51.x** first before continuing. It can be any version in **v5.51.x** series. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-gcp-network v5.3.0 - Lambda runtimes now powered by Node 22

Thu, 15 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-dataplex v5.1.0 - Lambda runtimes now powered by Node 22

Thu, 15 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-computeengine v5.5.0 - Lambda runtimes now powered by Node 22

Thu, 15 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-vertexai v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

servicenow-gcp v5.8.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-storage v5.6.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

servicenow-gcp-sql v5.2.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-spanner v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-secretmanager v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-scheduler v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-run v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-pubsub v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-monitoring v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-memorystore v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-logging v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-kubernetesengine v5.2.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-kms v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-iam v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-functions v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-firebase v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-dns v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-dataproc v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-datapipeline v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-dataflow v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-composer v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-bigtable v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-bigquery v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

servicenow-gcp-appengine v5.1.0 - Lambda runtimes now powered by Node 22

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped. - Improved the GraphQL input query for the `Configuration Item > Record` policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

azure v5.30.1 - Improved real-time event processing logic to prevent unnecessary reruns

Wed, 14 May 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Subscription > Event Poller` control previously processed some real-time events multiple times, resulting in unnecessary Lambda churn. The event processing logic has been improved to ensure each event is handled only once, enhancing overall efficiency. - The `Azure > Subscription > CMDB` control previously ran unnecessarily when Guardrails received real-time `Microsoft.Resources/tags/write` events for resources other than subscriptions or resource groups. These events will no longer be processed, preventing unnecessary CMDB control runs.

aws-apigateway v5.11.0 - Track and manage API Gateway account resources in Guardrails

Wed, 14 May 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. _Resource Types_ - AWS > API Gateway > Account _Control Types_ - AWS > API Gateway > Account > CMDB - AWS > API Gateway > Account > Discovery _Policy Types_ - AWS > API Gateway > Account > CMDB - AWS > API Gateway > Account > Regions _Action Types_ - AWS > API Gateway > Account > Router

Terraform Provider v1.12.2 - Improved sensitive data masking in log outputs to include additional value types

Mon, 12 May 2025 09:00:00 GMT

_Bug fixes_ - Improved sensitive data masking in log outputs to include additional value types.

Turbot Guardrails Enterprise (TE) v5.50.7 - Improvements to discovery process flow

Fri, 09 May 2025 09:00:00 GMT

_Bug fixes_ - Server - Discovery controls now run more reliably, reducing interruptions caused by premature termination. - Addressed a race condition that could occasionally result in missed priority events during policy value processing. - UI - Resolved an issue where resource type values were hard-coded in a hook, improving flexibility and maintainability. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Terraform Provider v1.12.1 - Updates to the parent attribute in the `resource_turbot_file` resource are now processed correctly

Thu, 08 May 2025 09:00:00 GMT

_Bug fixes_ - Resolved an issue where parent updates in `resource_turbot_file` were silently ignored. These updates are now processed correctly to ensure changes are properly applied.

aws-waf v5.9.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 08 May 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions. - Added support for Contactable interface in various resource types. - Web ACL resource type is now deprecated and will be removed in the next major version. Please refer [Migrate workloads from AWS WAF Classic](https://aws.amazon.com/blogs/security/migrating-rules-from-aws-waf-classic-to-new-aws-waf) for more information. _Bug fixes_ - The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the `AWS > Account > Partition` policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details. _Resource Types_ _Renamed_ - AWS > WAF > Web ACL to AWS > WAF > Web ACL [Deprecated] _Control Types_ _Renamed_ - AWS > WAF > Web ACL > Active to AWS > WAF > Web ACL [Deprecated] > Active - AWS > WAF > Web ACL > Approved to AWS > WAF > Web ACL [Deprecated] > Approved - AWS > WAF > Web ACL > CMDB to AWS > WAF > Web ACL [Deprecated] > CMDB - AWS > WAF > Web ACL > Discovery to AWS > WAF > Web ACL [Deprecated] > Discovery - AWS > WAF > Web ACL > Tags to AWS > WAF > Web ACL [Deprecated] > Tags - AWS > WAF > Web ACL > Usage to AWS > WAF > Web ACL [Deprecated] > Usage _Policy Types_ _Renamed_ - AWS > WAF > Web ACL > Active to AWS > WAF > Web ACL [Deprecated] > Active - AWS > WAF > Web ACL > Active > Age to AWS > WAF > Web ACL [Deprecated] > Active > Age - AWS > WAF > Web ACL > Active > Budget to AWS > WAF > Web ACL [Deprecated] > Active > Budget - AWS > WAF > Web ACL > Active > Last Modified to AWS > WAF > Web ACL [Deprecated] > Active > Last Modified - AWS > WAF > Web ACL > Approved to AWS > WAF > Web ACL [Deprecated] > Approved - AWS > WAF > Web ACL > Approved > Budget to AWS > WAF > Web ACL [Deprecated] > Approved > Budget - AWS > WAF > Web ACL > Approved > Custom to AWS > WAF > Web ACL [Deprecated] > Approved > Custom - AWS > WAF > Web ACL > Approved > Usage to AWS > WAF > Web ACL [Deprecated] > Approved > Usage - AWS > WAF > Web ACL > CMDB to AWS > WAF > Web ACL [Deprecated] > CMDB - AWS > WAF > Web ACL > Tags to AWS > WAF > Web ACL [Deprecated] > Tags - AWS > WAF > Web ACL > Tags > Template to AWS > WAF > Web ACL [Deprecated] > Tags > Template - AWS > WAF > Web ACL > Usage to AWS > WAF > Web ACL [Deprecated] > Usage - AWS > WAF > Web ACL > Usage > Limit to AWS > WAF > Web ACL [Deprecated] > Usage > Limit _Action Types_ _Renamed_ - AWS > WAF > Web ACL > Delete to AWS > WAF > Web ACL [Deprecated] > Delete - AWS > WAF > Web ACL > Delete from AWS to AWS > WAF > Web ACL [Deprecated] > Delete from AWS - AWS > WAF > Web ACL > Router to AWS > WAF > Web ACL [Deprecated] > Router - AWS > WAF > Web ACL > Set Tags to AWS > WAF > Web ACL [Deprecated] > Set Tags - AWS > WAF > Web ACL > Skip alarm for Active control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Active control - AWS > WAF > Web ACL > Skip alarm for Active control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Active control [90 days] - AWS > WAF > Web ACL > Skip alarm for Approved control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Approved control - AWS > WAF > Web ACL > Skip alarm for Approved control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Approved control [90 days] - AWS > WAF > Web ACL > Skip alarm for Tags control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Tags control - AWS > WAF > Web ACL > Skip alarm for Tags control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Tags control [90 days] - AWS > WAF > Web ACL > Update Tags to AWS > WAF > Web ACL [Deprecated] > Update Tags

aws-secretsmanager v5.10.1 - Stack [Native] control will now correctly import and manage resources outside the `us-east-1` region

Thu, 08 May 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > Secrets Manager > Secret > Stack [Native]` control previously failed to import and manage resources outside the `us-east-1` region. This issue has now been resolved.

aws-datapipeline v5.4.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 08 May 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions. - Added support for Contactable interface in various resource types. - Pipeline resource type is now deprecated and will be removed in the next major version. Please refer [Migrate workloads from AWS Data Pipeline](https://aws.amazon.com/blogs/big-data/migrate-workloads-from-aws-data-pipeline) for more information. _Bug fixes_ - The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the `AWS > Account > Partition` policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details. _Resource Types_ _Renamed_ - AWS > Data Pipeline > Pipeline to AWS > Data Pipeline > Pipeline [Deprecated] _Control Types_ _Renamed_ - AWS > Data Pipeline > Pipeline > Active to AWS > Data Pipeline > Pipeline [Deprecated] > Active - AWS > Data Pipeline > Pipeline > Approved to AWS > Data Pipeline > Pipeline [Deprecated] > Approved - AWS > Data Pipeline > Pipeline > CMDB to AWS > Data Pipeline > Pipeline [Deprecated] > CMDB - AWS > Data Pipeline > Pipeline > Discovery to AWS > Data Pipeline > Pipeline [Deprecated] > Discovery - AWS > Data Pipeline > Pipeline > Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Tags _Policy Types_ _Renamed_ - AWS > Data Pipeline > Pipeline > Active to AWS > Data Pipeline > Pipeline [Deprecated] > Active - AWS > Data Pipeline > Pipeline > Active > Age to AWS > Data Pipeline > Pipeline [Deprecated] > Active > Age - AWS > Data Pipeline > Pipeline > Active > Last Modified to AWS > Data Pipeline > Pipeline [Deprecated] > Active > Last Modified - AWS > Data Pipeline > Pipeline > Approved to AWS > Data Pipeline > Pipeline [Deprecated] > Approved - AWS > Data Pipeline > Pipeline > Approved > Custom to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Custom - AWS > Data Pipeline > Pipeline > Approved > Regions to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Regions - AWS > Data Pipeline > Pipeline > Approved > Usage to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Usage - AWS > Data Pipeline > Pipeline > CMDB to AWS > Data Pipeline > Pipeline [Deprecated] > CMDB - AWS > Data Pipeline > Pipeline > Regions to AWS > Data Pipeline > Pipeline [Deprecated] > Regions - AWS > Data Pipeline > Pipeline > Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Tags - AWS > Data Pipeline > Pipeline > Tags > Template to AWS > Data Pipeline > Pipeline [Deprecated] > Tags > Template _Action Types_ _Renamed_ - AWS > Data Pipeline > Pipeline > Delete to AWS > Data Pipeline > Pipeline [Deprecated] > Delete - AWS > Data Pipeline > Pipeline > Delete from AWS to AWS > Data Pipeline > Pipeline [Deprecated] > Delete from AWS - AWS > Data Pipeline > Pipeline > Router to AWS > Data Pipeline > Pipeline [Deprecated] > Router - AWS > Data Pipeline > Pipeline > Set Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Set Tags - AWS > Data Pipeline > Pipeline > Skip alarm for Active control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Active control - AWS > Data Pipeline > Pipeline > Skip alarm for Active control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Active control [90 days] - AWS > Data Pipeline > Pipeline > Skip alarm for Approved control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Approved control - AWS > Data Pipeline > Pipeline > Skip alarm for Approved control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Approved control [90 days] - AWS > Data Pipeline > Pipeline > Skip alarm for Tags control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Tags control - AWS > Data Pipeline > Pipeline > Skip alarm for Tags control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Tags control [90 days] - AWS > Data Pipeline > Pipeline > Update Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Update Tags

azure v5.30.0 - Create and manage cloud resources via Stack [Native] controls

Wed, 07 May 2025 09:00:00 GMT

_What's new?_ - Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the `Stack [Native] > *` policies. _Control Types_ - Azure > Resource Group > Stack [Native] _Policy Types_ - Azure > Resource Group > Stack [Native] - Azure > Resource Group > Stack [Native] > Drift Detection - Azure > Resource Group > Stack [Native] > Drift Detection > Interval - Azure > Resource Group > Stack [Native] > Modifier - Azure > Resource Group > Stack [Native] > Secret Variables - Azure > Resource Group > Stack [Native] > Source - Azure > Resource Group > Stack [Native] > Timeout - Azure > Resource Group > Stack [Native] > Variables - Azure > Resource Group > Stack [Native] > Version

aws-wellarchitected v5.8.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 07 May 2025 09:00:00 GMT

aws-wellarchitected-framework v5.1.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 07 May 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

aws v5.37.2 - EventBridge rules created via Event Handlers now exclude events containing errors

Wed, 07 May 2025 09:00:00 GMT

_Bug fixes_ - EventBridge rules configured via Event Handlers have been improved to exclude real-time events containing errors from being sent to the Guardrails endpoint. This prevents Guardrails from processing unnecessary error events. - The default value for the `AWS > Region > Connection Region` policy did not evaluate correctly for AWS GovCloud accounts. This issue has been resolved.

aws-secretsmanager v5.10.0 - Create and manage cloud resources via Stack [Native] controls

Wed, 07 May 2025 09:00:00 GMT

Guardrails MCP v0.1.2 - Initial release

aws-eks v5.8.0 - Manage endpoint access for clusters

Mon, 05 May 2025 09:00:00 GMT

_What's new?_ - Users can now manage endpoint access for clusters. To get started, set the `AWS > EKS > Cluster > Endpoint Access > *` policies. - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions. - Added support for Contactable interface in various resource types. _Control Types_ - AWS > EKS > Cluster > Endpoint Access _Policy Types_ - AWS > EKS > Cluster > Endpoint Access - AWS > EKS > Cluster > Endpoint Access > CIDR Ranges _Action Types_ - AWS > EKS > Cluster > Set Endpoint Access _Bug fixes_ - The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the `AWS > Account > Partition` policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

aws-efs v5.10.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 05 May 2025 09:00:00 GMT

aws-ecr v5.14.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 05 May 2025 09:00:00 GMT

aws-dms v5.7.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 05 May 2025 09:00:00 GMT

aws-rds v5.31.2 - Identifiers for DB Instances will now be modified more reliably

Fri, 02 May 2025 09:00:00 GMT

_Bug fixes_ - Previously, modifying instance identifiers to use different casing while retaining the same name caused Guardrails to incorrectly update the `DBInstanceIdentifier` and the AKA for the resource. Guardrails will now be smarter to avoid updating these details in CMDB data in such scenarios.

aws-ec2 v5.45.1 - Fixed pagination in AMI discovery control to fetch all AMIs correctly

Fri, 02 May 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > EC2 > AMI > Discovery` control previously failed to fetch all resources, due to the lack of pagination support. This issue has been fixed, and the control will now correctly fetch all available AMIs.

kubernetes v5.2.1 - Removed unnecessary attributes from default value of `Configuration > Columns` policy for pods to prevent unnecessary triggering of CMDB control

Wed, 30 Apr 2025 09:00:00 GMT

_Bug fixes_ - Removed unnecessary attributes from the default value of the `Kubernetes > Pod > osquery > Configuration > Columns` policy, which previously caused churn by unnecessarily triggering the `Kubernetes > Pod > CMDB` control.

Turbot Guardrails Enterprise (TE) v5.50.6 - Removed stray debug logs

Mon, 28 Apr 2025 09:00:00 GMT

_Bug fixes_ - Server - Removed stray debug logs. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.50.5 - Improved error handling for Runnable Monitor and Event Monitor to catch uncaught exceptions

Mon, 28 Apr 2025 09:00:00 GMT

_Bug fixes_ - Server - Improved error handling for Runnable Monitor and Event Monitor to catch uncaught exceptions. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot v5.51.2 - Adjusted the sequence of operations for Turbot > Workspace > Background Tasks to ensure a more reliable and consistent execution flow

Mon, 28 Apr 2025 09:00:00 GMT

gcp-bigtable v5.9.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 22 Apr 2025 09:00:00 GMT

aws-vpc-connect v5.10.1 - CMDB control for transit gateway attachments will no longer enter an error state when `ResourceOwnerId` for resources is not available in the CMDB data

Tue, 22 Apr 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > Transit Gateway Attachment > CMDB` control would sometimes go into an error state when `ResourceOwnerId` for the resource was not available in the CMDB data. This is fixed and the control will now work correctly, as expected.

aws-iam v5.41.1 - Removed conflicting default value for `force_detach_policies` for IAM roles managed via Guardrails stack controls

Mon, 21 Apr 2025 09:00:00 GMT

_Bug fixes_ - Guardrails stack controls that created or claimed IAM roles would sometimes run unnecessarily due to a mismatch in the default value for `force_detach_policies` in the Terraform mapping for the resource type. We have now removed the conflicting default to prevent such unnecessary executions. You now need to explicitly define `force_detach_policies` to override the existing Terraform default value (if required by your use case).

aws-logs v5.14.0 - Configure retention period for log groups

Thu, 17 Apr 2025 09:00:00 GMT

_What's new?_ - You can now configure retention period for log groups. To get started, set the `AWS > Logs > Log Group > Retention > *` policies. _Control Types_ - AWS > Logs > Log Group > Retention _Policy Types_ - AWS > Logs > Log Group > Retention - AWS > Logs > Log Group > Retention > Period _Action Types_ - AWS > Logs > Log Group > Update Retention

Turbot Guardrails Enterprise (TE) v5.50.3 - Multiple query support in calculated policy

Wed, 16 Apr 2025 09:00:00 GMT

_What's new?_ - UI - Added support for multiple input queries (with ability to use Nunjucks template functionality) in the calculated policy editor allowing teams to create complex calculated policies involving a pipeline of GraphQL queries. _Bug fixes_ - Server - Turbot/ReadOnly permission is now sufficient to create, delete, and update favorites. - Resolved an issue that was blocking users from running quick actions due to incorrect permission checks. - Tightened permissions for smart folder attachments and detachments to prevent unauthorized access. - Account/ReadOnly users can now successfully manage favorites, including creation, deletion, and updates. - UI - Policy settings can now be created by users with Account/Admin permission, as intended, instead of incorrectly requiring Account/Owner. - Quick action runs no longer fail for users with a single grant due to a UI permission check issue. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-sql v5.11.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 15 Apr 2025 09:00:00 GMT

gcp-network v5.15.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 15 Apr 2025 09:00:00 GMT

gcp-firebase v5.2.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 15 Apr 2025 09:00:00 GMT

aws-cloudfront v5.6.0 - Create and manage cloud resources via Stack [Native] controls

Tue, 15 Apr 2025 09:00:00 GMT

_What's new?_ - Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the `Stack [Native] > *` policies. _Control Types_ - AWS > CloudFront > Distribution > Stack [Native] _Policy Types_ - AWS > CloudFront > Distribution > Stack [Native] - AWS > CloudFront > Distribution > Stack [Native] > Drift Detection - AWS > CloudFront > Distribution > Stack [Native] > Drift Detection > Interval - AWS > CloudFront > Distribution > Stack [Native] > Modifier - AWS > CloudFront > Distribution > Stack [Native] > Secret Variables - AWS > CloudFront > Distribution > Stack [Native] > Source - AWS > CloudFront > Distribution > Stack [Native] > Timeout - AWS > CloudFront > Distribution > Stack [Native] > Variables - AWS > CloudFront > Distribution > Stack [Native] > Version

gcp-iam v5.17.1 - Configured control for Logging sinks created via Event Handlers now work as expected

Mon, 14 Apr 2025 09:00:00 GMT

Fri, 11 Apr 2025 09:00:00 GMT

_What's new?_ - Policy Types: - Turbot > Quick Actions > Permission Levels to allow `account`, `azure` and `gcp` as a permission type. - Added `class: ACCOUNT` to Turbot > Notifications > CC > Tag and Turbot > Notifications > CC > Tag > Name. _Bug fixes_ - Control Types: - The `Turbot > Workspace > Usage` control will be skipped in GovCloud deployments. _Requirements_ - TE: 5.35.4

gcp-vertexai v5.1.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Fri, 11 Apr 2025 09:00:00 GMT

gcp v5.31.1 - Project labels control now correctly applies labels according to template policy

Fri, 11 Apr 2025 09:00:00 GMT

Fri, 11 Apr 2025 09:00:00 GMT

_Bug fixes_ - Internal definitions for the `AWS > Organization` resource type have been updated. All functionality will continue to work smoothly as before.

aws-s3 v5.31.1 - Updated internal definitions for Quick Actions on `Public Access Block` control for buckets

Fri, 11 Apr 2025 09:00:00 GMT

_Bug fixes_ - We've updated internal definitions for Quick Actions on the `AWS > S3 > Bucket > Public Access Block` control type. All functionality will continue to work smoothly as before.

aws-ec2 v5.45.0 - Guardrails can now discover and manage target groups for gateway load balancers across all supported regions

Fri, 11 Apr 2025 09:00:00 GMT

_What's new?_ - The `AWS > EC2 > Target Group > Discovery` control sometimes failed to upsert target groups under gateway load balancers that were not present in the CMDB. This occurred because Guardrails was unable to discover those gateway load balancers due to an outdated list of supported regions. The list has been refreshed for the `AWS > EC2 > Gateway Load Balancer` resource type, enabling Guardrails to discover and manage these resources across all supported AWS regions.

Turbot Guardrails Enterprise (TE) v5.50.2 - Improved how policy values are selected for the priority queue, resulting in faster and more efficient processing

Thu, 10 Apr 2025 09:00:00 GMT

_Bug fixes_ - Server - Improved how policy values are selected for the priority queue, resulting in faster and more efficient processing. - UI - Pagination and title-based sorting are now supported in policy targets, making navigation smoother. - The Permissions modal is more stable and won’t crash if some data is missing. _Requirements_ - TEF: 1.66.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-custom v5.0.1 - CMDB controls for custom tables and records now update data in the CMDB more consistently

Thu, 10 Apr 2025 09:00:00 GMT

_Bug fixes_ - CMDB controls for custom tables and records occasionally failed to update data in the CMDB correctly. This issue has been resolved.

gcp-iam v5.17.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 10 Apr 2025 09:00:00 GMT

gcp-computeengine v5.20.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 10 Apr 2025 09:00:00 GMT

Turbot Guardrails Enterprise (TE) v5.50.1 - Resolved an issue that was preventing users from logging in via SAML

Wed, 09 Apr 2025 09:00:00 GMT

Tue, 08 Apr 2025 09:00:00 GMT

_What's new?_ - Added support to process real-time events for ServiceNow custom tables and their records. - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

servicenow-custom v5.0.0 is now available

Tue, 08 Apr 2025 09:00:00 GMT

_What's new?_ _Resource Types_ - ServiceNow > Custom - ServiceNow > Custom > Record - ServiceNow > Custom > Table _Control Types_ - ServiceNow > Custom > Record > CMDB - ServiceNow > Custom > Record > Discovery - ServiceNow > Custom > Table > Business Rule - ServiceNow > Custom > Table > CMDB - ServiceNow > Custom > Table > Discovery _Policy Types_ - ServiceNow > Custom > Record > CMDB - ServiceNow > Custom > Record > CMDB > Query - ServiceNow > Custom > Record > CMDB > Title - ServiceNow > Custom > Table > Business Rule - ServiceNow > Custom > Table > Business Rule > Name - ServiceNow > Custom > Table > CMDB - ServiceNow > Custom > Table > CMDB > Tables _Action Types_ - ServiceNow > Custom > Record > Router

aws v5.37.0 - Configure default connection region to fetch details for global resources in CMDB

Tue, 08 Apr 2025 09:00:00 GMT

_What's new?_ - The `AWS > Region > Discovery > Connection Region` policy has been deprecated and will be removed in the next major version of the mod (v6.0.0). Two new policies, `AWS > Account > Connection Region [Default]` and `AWS > Region > Connection Region`, have been introduced. These policies streamline connection region management across all global resource types in various services. For the deprecated `AWS > Region > Discovery > Connection Region` policy, we recommend migrating existing settings to the `AWS > Region > Connection Region` policy if you intend to define a connection region for discovering Region resources. Alternatively, you may configure the `AWS > Account > Connection Region [Default]` policy, which serves as the default region for discovering all global resources across services in your account. _Policy Types_ - AWS > Account > Connection Region [Default] - AWS > Region > Connection Region _Renamed_ - AWS > Region > Discovery > Connection Region to AWS > Region > Discovery > Connection Region [Deprecated]

aws-s3 v5.31.0 - Configure connection region to fetch details for S3 accounts in CMDB

Tue, 08 Apr 2025 09:00:00 GMT

_What's new?_ - You can now configure a connection region to allow Guardrails to fetch details for S3 accounts in CMDB. To get started, set the `AWS > S3 > Connection Region` policy. This policy defaults to the value of the `AWS > Account > Connection Region [Default]` policy, which can be used to define a default connection region for all global resources in an account. _Policy Types_ - AWS > S3 > Connection Region

aws-iam v5.41.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 07 Apr 2025 09:00:00 GMT

aws-glue v5.12.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 07 Apr 2025 09:00:00 GMT

aws v5.36.1 - Real-time event for moving accounts in an organization is now processed correctly, ensuring individually imported management accounts are not deleted from the CMDB

Fri, 04 Apr 2025 09:00:00 GMT

Wed, 02 Apr 2025 09:00:00 GMT

_Bug fixes_ - Cleaned up unnecessary help messages from `AWS > VPC > Security Group Rule > CMDB` control.

gcp-iam v5.16.4 - CMDB control for Service Account will now wait for the IAM service's CMDB data to be correctly updated before attempting to fetch details for service accounts in newly imported projects

Tue, 01 Apr 2025 09:00:00 GMT

_Bug fixes_ - The `GCP > IAM > Service Account > CMDB` control would sometimes enter a skipped state for newly imported projects if certain required attributes were missing from the IAM service's CMDB data. The control will now go into a TBD state instead and rerun after five minutes to allow the IAM service's CMDB data to populate correctly for newly imported projects.

aws-vpc-security v5.12.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 01 Apr 2025 09:00:00 GMT

aws-vpc-internet v5.12.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 01 Apr 2025 09:00:00 GMT

aws-apigateway v5.10.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 01 Apr 2025 09:00:00 GMT

gcp-bigquery v5.7.2 - Table resources will no longer be upserted in CMDB via real-time events when CMDB policy is set to `Enforce: Disabled`

Mon, 31 Mar 2025 09:00:00 GMT

_Bug fixes_ - Guardrails would sometimes ignore the `GCP > BigQuery > Table > CMDB` policy set to `Enforce: Disabled` and still upsert table resources via real-time events in CMDB. These resources were subsequently cleaned up by the CMDB control. This issue has been resolved, and the CMDB policy will now be correctly respected before upserting resources.

aws-vpc-connect v5.10.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Mon, 31 Mar 2025 09:00:00 GMT

Wed, 26 Mar 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. - Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions. - Added support for Contactable interface in various resource types. _Bug fixes_ - The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the `AWS > Account > Partition` policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details. - Added support for `af-south-1`, `ap-east-1`, `ap-southeast-3`, `ap-southeast-5`, `ap-southeast-7`, `ca-west-1`, `eu-central-2`, `eu-south-1`, `eu-south-2`, `il-central-1`, `me-central-1` and `me-south-1` regions in the `AWS > Lambda > Regions` policy. - Corrected the region in the `AWS > Lambda > Function Alias > Regions` policy by updating us-west-3 to the correct region, us-west-2.

aws-events v5.14.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 26 Mar 2025 09:00:00 GMT

aws-dynamodb v5.14.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 26 Mar 2025 09:00:00 GMT

aws-cloudwatch v5.10.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 26 Mar 2025 09:00:00 GMT

aws-cloudtrail v5.12.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 26 Mar 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. - Added support for Contactable interface in various resource types. _Bug fixes_ - The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the `AWS > Account > Partition` policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

azure-securitycenter v5.8.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Security Center resources in Guardrails

Tue, 25 Mar 2025 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use newer Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing settings to refer to the updated attributes as mentioned below: Added: - `policy.enforcementMode` - `policy.nonComplianceMessages` - `policy.systemData` Removed: - `policy.sku` Renamed: - `settings[*].properties.enabled` to `settings[*].enabled`

aws-organizations v5.4.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 25 Mar 2025 09:00:00 GMT

aws-kms v5.19.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Tue, 25 Mar 2025 09:00:00 GMT

gcp-pubsub v5.9.2 - Real-time delete events for topics will no longer delete subscriptions under a different topic in the CMDB

Fri, 21 Mar 2025 09:00:00 GMT

_Bug fixes_ - Real-time delete events for topics would sometimes result in the deletion of subscriptions under a different topic in the CMDB. This issue has been fixed, and subscriptions are now cleaned up more reliably than before.

azure-mysql v5.16.0 - Single server resource type is now deprecated and will be removed in the next major version

Fri, 21 Mar 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > MySQL > Server > CMDB` policy will now be set to `Skip` by default because the resource type has been deprecated and will be removed in the next major version. Please check [Single Server retirement](https://techcommunity.microsoft.com/blog/adformysql/azure-database-for-mysql---single-server-retirement---key-updates-and-migration-/4055198) for more information. _Resource Types_ _Renamed_ - Azure > MySQL > Server to Azure > MySQL > Server [Deprecated] _Control Types_ _Renamed_ - Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active - Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved - Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB - Azure > MySQL > Server > Discovery to Azure > MySQL > Server [Deprecated] > Discovery - Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit - Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags _Policy Types_ _Renamed_ - Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active - Azure > MySQL > Server > Active > Age to Azure > MySQL > Server [Deprecated] > Active > Age - Azure > MySQL > Server > Active > Last Modified to Azure > MySQL > Server [Deprecated] > Active > Last Modified - Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved - Azure > MySQL > Server > Approved > Custom to Azure > MySQL > Server [Deprecated] > Approved > Custom - Azure > MySQL > Server > Approved > Regions to Azure > MySQL > Server [Deprecated] > Approved > Regions - Azure > MySQL > Server > Approved > Usage to Azure > MySQL > Server [Deprecated] > Approved > Usage - Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB - Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit - Azure > MySQL > Server > Regions to Azure > MySQL > Server [Deprecated] > Regions - Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags - Azure > MySQL > Server > Tags > Template to Azure > MySQL > Server [Deprecated] > Tags > Template _Action Types_ _Removed_ - Azure > MySQL > Server > Delete - Azure > MySQL > Server > Router - Azure > MySQL > Server > Set Tags - Azure > MySQL > Server > Update Encryption in Transit

azure-sql v5.18.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 20 Mar 2025 09:00:00 GMT

azure-provider v5.16.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 20 Mar 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

azure-network v5.24.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 20 Mar 2025 09:00:00 GMT

azure-cosmosdb v5.10.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 20 Mar 2025 09:00:00 GMT

azure-activedirectory v5.8.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 20 Mar 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

azure-recoveryservice v5.9.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 19 Mar 2025 09:00:00 GMT

azure-monitor v5.10.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 19 Mar 2025 09:00:00 GMT

azure v5.29.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 13 Mar 2025 09:00:00 GMT

azure-securitycenter v5.7.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Thu, 13 Mar 2025 09:00:00 GMT

azure-compute v5.21.0 - Expand relationship mappings in Policy Type, Control Type, and Action Type definitions

Wed, 12 Mar 2025 09:00:00 GMT

_What's new?_ - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. - Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions. - Added support for Contactable interface in various resource types. _Bug fixes_ - The `Azure > Compute > Disk > Discovery` control occasionally encountered an error while upserting attached disks under VMs that were not available in Guardrails CMDB. Now, all disks will be upserted under their respective resource groups, ensuring the Discovery control functions more smoothly and reliably than before.

Turbot Guardrails Enterprise Database (TED) v1.47.0 - Database & cache configuration updates

Wed, 12 Mar 2025 09:00:00 GMT

_What's new?_ - Added a new SSM parameter to forward the DB logs to CloudWatch log group. - Added support for postgres version 16.5, 16.6, 16.7 and 16.8. - Updated defaults for database and cache instances - Database instance type: Default updated to db.m6g.large. - Allocated database storage: Default increased to 400 GB. - Storage throughput: Default set to 500 MB/s. - Database engine parameter group family: Now defaults to postgres16. - Database engine version: Updated to 16.4. - Cache node type: Default updated to cache.r6g.large. - Allocated IOPS: Default increased to 12,000. - DB parameter group: Now defaults to HiveParamGroup16. - Shared buffer: Default set to {DBInstanceClassMemory/20480} for optimized performance. - Maximum statement duration: Default updated to 600,000 ms (10 minutes) to improve query execution limits.

Turbot Guardrails Enterprise Foundation (TEF) v1.66.0 - Enhancements and new configuration parameters

Mon, 10 Mar 2025 09:00:00 GMT

_What's new?_ - Added parameter to manage ALB timeout, allowing better control over request handling. - Added parameter to customize API Gateway domain name. For backward compatibility, the default value remains `gateway`. - Added parameter to control message rate in the queue, enabling better queue message management. - S3 Lifecycle Rules now automatically enable ‘Expired Object Delete Markers’ for cleanup and remove incomplete multipart uploads after 7 days to prevent storage waste. - HOP limit increased to 2 for improved request forwarding. - Route53 Record for API Gateway now includes the GatewayPrefix to enhance routing accuracy.

azure v5.28.1 - Real-time delete events for subscriptions will now be processed correctly

Tue, 04 Mar 2025 09:00:00 GMT

_Bug fixes_ - Guardrails would fail to process real-time delete events for subscriptions. This is now fixed. - Fixed pagination for `Azure > Turbot > Event Poller` control. - Real-time `Microsoft.Resources` tagging events will now be processed only for subscriptions and resource groups, and will be ignored for other resource types. This will avoid unnecessary triggers for subscription & resource group router actions.

Turbot Guardrails Enterprise (TE) v5.49.0 - Added multi region KMS encryption for Tenant Master Key

Thu, 27 Feb 2025 09:00:00 GMT

_What's new?_ - Server - Added multi region KMS encryption for Tenant Master Key. - Guardrails now provides an override parameter at the TE level to configure API and Event container memory reservations, improving ECS task scaling and resource flexibility. _Multi Region KMS Key_ Starting from TEF v1.65.0 and TE v5.49.0, a new multi-region KMS key is created at the TEF level. When workspaces are upgraded to TE v5.49.0, Guardrails use this new key to re-encrypt the existing *Tenant Master Key* within the workspaces. The *Tenant Master Key* itself remains unchanged-only its encryption is updated. The previous version, encrypted with a regional KMS key, remains available. If a workspace is downgraded to TE v5.48.0, the multi-region encryption persists. Upon re-upgrading to TE v5.49.0, re-encryption does not occur again. This process works seamlessly unless TEF is downgraded to a version earlier than v1.65.0. _Requirements_ - TEF: 1.65.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot v5.50.0 - Added contactable interface

Thu, 27 Feb 2025 09:00:00 GMT

_What's new?_ - Added contactable interface. - New policy type classes GUARDRAIL, SETTING, and ACCOUNT have been introduced to define the scope of policies. _Requirements_ - TE: 5.35.4

Turbot Guardrails Enterprise (TE) v5.48.10 - Update controls trend graph to use the latest counts

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - UI - Update controls trend graph to use the latest counts. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-servicebus v5.3.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-recoveryservice v5.8.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-frontdoorservice v5.9.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-firewall v5.9.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-datafactory v5.9.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-containerregistry v5.3.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-applicationgateway v5.9.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-aks v5.9.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-activedirectory v5.7.0 - Real-time update events for resources will now be processed more reliably

Tue, 25 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

servicenow v5.3.0 - Filter ServiceNow records using encoded query strings and discover them in Guardrails

Mon, 24 Feb 2025 09:00:00 GMT

_What's new?_ - You can now filter ServiceNow records using encoded query strings and discover them in Guardrails. To get started, set the `CMDB > Query` policy for various resource types. For more details, refer to the [ServiceNow documentation on encoded query strings](https://www.servicenow.com/docs/bundle/yokohama-platform-user-interface/page/use/using-lists/concept/c_EncodedQueryStrings.html). _Policy Types_ - ServiceNow > Application > CMDB > Query - ServiceNow > Cost Center > CMDB > Query - ServiceNow > User > CMDB > Query

azure-securitycenter v5.6.0 - Real-time update events for resources will now be processed more reliably

Mon, 24 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-relay v5.4.0 - Real-time update events for resources will now be processed more reliably

Mon, 24 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-databricks v5.6.0 - Real-time update events for resources will now be processed more reliably

Mon, 24 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-applicationinsights v5.10.0 - Real-time update events for resources will now be processed more reliably

Mon, 24 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

gcp v5.30.2 - Filter policies for real-time events will now evaluate correctly if CMDB policies for resource types are set to `Skip` or `Enforce: Disabled`

Fri, 21 Feb 2025 09:00:00 GMT

_Bug fixes_ - Filter policies for real-time events will now evaluate correctly if CMDB policies for resource types are set to `Skip` or `Enforce: Disabled`.

gcp-storage v5.11.5 - Real-time storage events filter will now filters out resource specific events if their CMDB policy is set to `Skip` or `Enforce: Disabled`

Fri, 21 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-storage` policy now respects CMDB policy settings for resource types and filters out real-time events when the policies are set to `Skip` or `Enforce: Disabled`. We recommend upgrading the `gcp` mod to v5.30.2 or higher in order to process real-time events correctly.

azure-provider v5.15.0 - Lambda runtimes now powered by Node 22

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-loganalytics v5.11.0 - Real-time update events for resources will now be processed more reliably

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-keyvault v5.16.0 - Real-time update events for resources will now be processed more reliably

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-dns v5.10.0 - Real-time update events for resources will now be processed more reliably

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-cosmosdb v5.9.0 - Real-time update events for resources will now be processed more reliably

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-automation v5.2.0 - Real-time update events for resources will now be processed more reliably

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-appservice v5.14.0 - Real-time update events for resources will now be processed more reliably

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-apimanagement v5.5.0 - Real-time update events for resources will now be processed more reliably

Fri, 21 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure v5.28.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-synapseanalytics v5.10.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-sqlvirtualmachine v5.2.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-sql v5.17.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-signalr v5.4.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-searchmanagement v5.10.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-postgresql v5.18.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-mysql v5.14.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-monitor v5.9.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-managedidentity v5.3.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-loadbalancer v5.9.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-iam v5.13.0 - Real-time update events for resources will now be processed more reliably

Thu, 20 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

Terraform Provider v1.12.0 - Added support for `turbot_control_mute` resource

Wed, 19 Feb 2025 09:00:00 GMT

_What's new?_ - Mute controls if you want to ignore them. The `turbot_control_mute` allows muting a control to help streamline operations without compromising security policies. _Bug fixes_ - Fixed typo in an error message while calling Guardrails APIs. _Documentation_ - Updated example for `turbot_policy_pack` resource. - Fixed spacing in `turbot_turbot_directory` documentation.

azure-storage v5.21.0 - Real-time update events for resources will now be processed more reliably

Wed, 19 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-networkwatcher v5.12.0 - Real-time update events for resources will now be processed more reliably

Tue, 18 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

Turbot Guardrails Enterprise (TE) v5.48.9 - Improvements and bug fixes

Tue, 18 Feb 2025 09:00:00 GMT

_What's new?_ - UI - Users can now select permissions (ReadOnly + Global Event Handlers or Full Remediation) to apply to the IAM role in the CFN template when importing an AWS Organization or Account. _Bug fixes_ - UI - Fixed an issue where the terminate process call sometimes received an empty input when terminating a queued process. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-network v5.23.0 - Real-time update events for resources will now be processed more reliably

Tue, 18 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - `Stack [Native]` controls now run faster when in `skipped` state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

azure-compute v5.20.0 - Real-time update events for resources will now be processed more reliably

Tue, 18 Feb 2025 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Bug fixes_ - Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably. - Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

Turbot Guardrails Enterprise (TE) v5.48.8 - Improvements and bug fixes

Mon, 17 Feb 2025 09:00:00 GMT

_What's new?_ - Server - Updated Workspace Manager Lambda to automatically populate the Turbot > Workspace > Guardrails Master Account policy for improved management. _Bug fixes_ - UI - Adjusted stats limit to 30 days, ensuring a full month of data visibility. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-vpc-connect v5.9.3 - Cross-Account Discovery control for Transit Gateway Attachments would no longer upsert resources in a `deleted` or `deleting` state

Mon, 17 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > Transit Gateway Attachment > Discovery [Cross-Account]` control would sometimes upsert transit gateway attachments in a `deleted` or `deleting` state. This issue is now fixed.

aws-vpc-connect v5.9.2 - Cross-account Transit Gateway Attachments will no longer be deleted from the CMDB

Mon, 17 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > Transit Gateway Attachment > CMDB` control previously, in some cases, inadvertently deleted cross-account transit gateway attachments from Guardrails CMDB. This issue has now been fixed.

aws-rds v5.30.0 - Configure a custom tag name to start/stop DB clusters via the Schedule control

Mon, 17 Feb 2025 09:00:00 GMT

_What's new?_ - You can now configure a custom tag name to start/stop DB clusters via the `AWS > RDS > DB Cluster > Schedule` control. To get started, set the `AWS > RDS > DB Cluster > Schedule Tag > Name` policy. _Policy Types_ - AWS > RDS > DB Cluster > Schedule Tag > Name

azure v5.27.0 - Guardrails would fail to process real-time tagging events for subscriptions

Fri, 14 Feb 2025 09:00:00 GMT

_What's new?_ _Action Types_ - Azure > Subscription > Router _Bug fixes_ - Guardrails would fail to process real-time tagging events for subscriptions. This is now fixed. - The default template input in `Azure > Subscription > Tags > Template` policy referred to an incorrect policy for its value. This is now fixed.

turbot v5.49.1 - Resolved a race condition in Turbot > Smart Retention to ensure smoother execution

Thu, 13 Feb 2025 09:00:00 GMT

_Bug fixes_ - Resolved a race condition in Turbot > Smart Retention to ensure smoother execution. _Requirements_ - TE: 5.35.4

aws v5.35.6 - Fixed the naming convention for EventBridge rule for organization level events

Thu, 13 Feb 2025 09:00:00 GMT

_Bug fixes_ - Fixed the naming convention for EventBridge rule for organization level events.

aws v5.35.5 - Real-time events for the aws-organizations mod will now be processed correctly

Wed, 12 Feb 2025 09:00:00 GMT

_Bug fixes_ - In version 5.35.0, we added support for importing an AWS organization into Guardrails but inadvertently introduced a bug that prevented real-time events for the aws-organizations mod from being processed correctly. This issue has now been fixed. _Policy Types_ _Renamed_ - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws

aws-organizations v5.3.0 - Guardrails failed to handle real-time creation and tagging events for organizational account resources

Wed, 12 Feb 2025 09:00:00 GMT

_Bug fixes_ - Guardrails failed to handle real-time creation and tagging events for organizational account resources. This is now fixed. _Policy Types_ - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations _Removed_ - AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-organizations

Turbot Guardrails Enterprise (TE) v5.48.7 - Rolled back dynamic queueing adjustments to restore previous behavior

Mon, 10 Feb 2025 09:00:00 GMT

_Bug fixes_ - Server - Rolled back dynamic queueing adjustments to restore previous behavior. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.48.6 - Version bump to align with deployment requirements

Mon, 10 Feb 2025 09:00:00 GMT

Version bump to align with deployment requirements. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.48.5 - Improvements and bug fixes

Mon, 10 Feb 2025 09:00:00 GMT

_Bug fixes_ - UI - Addressed an issue where resource card links on the Resources dashboard were not working as expected. - Server - Prevented the runnable monitor from entering an infinite loop. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.48.4 - UI enhancements and bug fixes for better usability

Fri, 07 Feb 2025 09:00:00 GMT

_What's new?_ - UI - Policy pack descriptions are now visible in the list view and detail page header for better clarity. _Bug fixes_ - UI - Run and Terminate buttons now appear properly on the process detail page, ensuring a smoother experience. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-storage v5.11.4 - Bucket Policy Trusted Access control failed to evaluate correctly when IAM policy binding details were not available in CMDB

Fri, 07 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `GCP > Storage > Bucket > Policy > Trusted Access` control previously failed to evaluate results correctly and caused internal process timeouts when Guardrails was denied access to fetch IAM policy bindings for buckets. This issue has been resolved, ensuring that the control now evaluates results and terminates correctly as expected.

azure-compute v5.19.2 - Virtual Machine tags control sometimes failed to update tags on spot instances

Fri, 07 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > Compute > Virtual Machine > Tags` control would sometimes failed to update tags on spot instances. This is now fixed.

aws-s3 v5.29.2 - Bucket CMDB control would go into an error state if CMDB policy was set to ignore permission errors

Fri, 07 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > S3 > Bucket > Discovery` control incorrectly went into a skipped state when the `AWS > S3 > Bucket > CMDB` policy was set to `Enforce: Enabled but ignore permission errors`. This is fixed and control will now work as expected.

Turbot Guardrails Enterprise (TE) v5.48.3 - Optimize message queue dispatch based on DB CPU usage, connections, and queue load

Thu, 06 Feb 2025 09:00:00 GMT

_What's new?_ - UI - Added 'Resource Type' column to activity ledger CSV exports. - Improved usability of the Resource trend graph. _Bug fixes_ - Server - Recursive loops in Lambda are now handled seamlessly without termination. - Optimize message queue dispatch based on DB CPU usage, connections, and queue load. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot v5.49.0 - Added policy for Guardrails master account

Thu, 06 Feb 2025 09:00:00 GMT

_What's new?_ - Policy Types: - Turbot > Workspace > Guardrails Master Account _Requirements_ - TE: 5.35.4

azure-sql v5.16.2 - Server CMDB control sometimes failed to fetch data for the associated firewall rules

Tue, 04 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > SQL > Server > CMDB` control sometimes failed to fetch data for the associated firewall rules. This issue has now been fixed.

azure-cisv2-0 v5.1.1 - Control for benchmark 4.01.02 sometimes failed to evaluate the outcome correctly

Tue, 04 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)` control sometimes failed to evaluate the control state correctly. This issue is now fixed.

aws-rds v5.29.0 - Configure a custom tag name to start/stop DB instances

Mon, 03 Feb 2025 09:00:00 GMT

_What's new?_ - You can now configure a custom tag name to start/stop DB instances via the `AWS > RDS > DB Instance > Schedule` control. To get started, set the `AWS > RDS > DB Instance > Schedule Tag > Name` policy. _Policy Types_ - AWS > RDS > DB Instance > Schedule Tag > Name

aws-cloudsearch v5.4.1 - CMDB policy will now default to Skip

Mon, 03 Feb 2025 09:00:00 GMT

_Bug fixes_ - The `AWS > CloudSearch > Domain > CMDB` policy will now be set to `Skip` by default because the resource type has been deprecated and will be removed in the next major version. Please check [end of support](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/what-is-cloudsearch.html) for more information.

gcp v5.30.1 - Stack [Native] controls will now run lighter and quicker than before

Fri, 31 Jan 2025 09:00:00 GMT

Mon, 13 Jan 2025 09:00:00 GMT

_Bug fixes_ - Server - Added support for drift detection in OpenTofu 1.x (open-source Terraform) integration via Guardrail. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.47.7 - Added container support for Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

_Bug fixes_ - Server - Added support for OpenTofu v1.8.3 (open source Terraform) container to run Stack [Native] controls. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp v5.28.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

azure v5.24.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

azure-network v5.21.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

_What's new?_ - Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the `Stack [Native] > *` policies. _Control Types_ - Azure > Network > Virtual Network > Stack [Native] _Policy Types_ - Azure > Network > Virtual Network > Stack [Native] - Azure > Network > Virtual Network > Stack [Native] > Modifier - Azure > Network > Virtual Network > Stack [Native] > Secret Variables - Azure > Network > Virtual Network > Stack [Native] > Source - Azure > Network > Virtual Network > Stack [Native] > Variables

aws-vpc-core v5.19.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

_What's new?_ - Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the `Stack [Native] > *` policies. _Control Types_ - AWS > VPC > Stack [Native] - AWS > VPC > VPC > Stack [Native] _Policy Types_ - AWS > VPC > Stack [Native] - AWS > VPC > Stack [Native] > Modifier - AWS > VPC > Stack [Native] > Secret Variables - AWS > VPC > Stack [Native] > Source - AWS > VPC > Stack [Native] > Variables - AWS > VPC > VPC > Stack [Native] - AWS > VPC > VPC > Stack [Native] > Modifier - AWS > VPC > VPC > Stack [Native] > Secret Variables - AWS > VPC > VPC > Stack [Native] > Source - AWS > VPC > VPC > Stack [Native] > Variables

aws v5.32.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

_What's new?_ - Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the `Stack [Native] > *` policies. _Control Types_ - AWS > Account > Stack [Native] - AWS > Region > Stack [Native] _Policy Types_ - AWS > Account > Stack [Native] - AWS > Account > Stack [Native] > Modifier - AWS > Account > Stack [Native] > Secret Variables - AWS > Account > Stack [Native] > Source - AWS > Account > Stack [Native] > Variables - AWS > Region > Stack [Native] - AWS > Region > Stack [Native] > Modifier - AWS > Region > Stack [Native] > Secret Variables - AWS > Region > Stack [Native] > Source - AWS > Region > Stack [Native] > Variables

aws-s3 v5.28.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

aws-iam v5.38.0 - Create and manage cloud resources via Stack [Native] controls

Fri, 10 Jan 2025 09:00:00 GMT

Turbot Guardrails Enterprise (TE) v5.54.6 - Enforced PostgreSQL 15+ and policy pack optimization

Thu, 09 Jan 2025 09:00:00 GMT

_What's new?_ - Server - Workspace creation and upgrade are now blocked if the RDS PostgreSQL version is lower than 15. _Bug fixes_ - Server - Prevent policy pack summary control from querying AI credentials when the summary policy is disabled. _Requirements_ - Upgrade to `5.54.6` requires your workspace to be on `5.53.x` - PostgreSQL (RDS engine): >= 15 - TEF: 1.66.0 - TED: 1.37.0 - Mods: - @turbot/turbot: 5.56.0 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-networkwatcher v5.11.1 - The real-time Event Handlers would fail to update details for Flow Logs attached to Virtual Networks

Fri, 20 Dec 2024 09:00:00 GMT

_Bug fixes_ - The real-time Event Handlers would fail to update details for Flow Logs attached to Virtual Networks. This is now fixed.

azure-network v5.20.1 - Guardrails would fail to update CMDB for virtual networks when flow logs were created or removed from such resources

Fri, 20 Dec 2024 09:00:00 GMT

_Bug fixes_ - Guardrails would fail to update CMDB for virtual networks when flow logs were created or removed from such resources. This is now fixed.

aws-vpc-core v5.18.2 - Flow Logging control would destroy and recreate flow logs unnecessarily

Mon, 16 Dec 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > VPC > Flow Logging` control previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.

Turbot Guardrails Enterprise (TE) v5.47.6 - Minor internal improvements

Fri, 13 Dec 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp v5.27.1 - Updated Terraform Version policy to prevent unnecessary stack control reruns

Fri, 13 Dec 2024 09:00:00 GMT

_Bug fixes_ - We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

gcp-iam v5.16.3 - Updated Terraform Version policy to prevent unnecessary stack control reruns

Fri, 13 Dec 2024 09:00:00 GMT

azure-iam v5.12.1 - Updated Terraform Version policy to prevent unnecessary stack control reruns

Fri, 13 Dec 2024 09:00:00 GMT

azure-compute v5.19.1 - The Virtual Machine Scale Set Tags control will now update tags correctly for Scale Sets launched via the Azure Marketplace

Fri, 13 Dec 2024 09:00:00 GMT

_Bug fixes_ - In a previous version, we resolved an issue in the `Azure > Compute > Virtual Machine Scale Set > Tags` control to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.

aws v5.31.1 - Updated Terraform Version policy to prevent unnecessary stack control reruns

Fri, 13 Dec 2024 09:00:00 GMT

aws-kms v5.18.1 - Updated Terraform Version policy to prevent unnecessary stack control reruns

Fri, 13 Dec 2024 09:00:00 GMT

aws-iam v5.37.1 - Updated Terraform Version policy to prevent unnecessary stack control reruns

Fri, 13 Dec 2024 09:00:00 GMT

Turbot Guardrails Enterprise (TE) v5.47.5 - UI bug fixes and enhancements

Wed, 11 Dec 2024 09:00:00 GMT

_Bug fixes_ - UI - Updated the filter logic on the Reports page for more accurate results. - Resolved an issue where resource links in the Permissions section redirected to the profile page instead of the resource page when grouped by resources. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure v5.23.0 - Filter out specific real-time events while polling using the Azure Event Poller

Wed, 11 Dec 2024 09:00:00 GMT

_What's new?_ - Users can now define a list of events to filter out while polling for events using the `Azure > Turbot > Event Poller`. To get started, set the `Azure > Turbot > Event Poller > Excluded Events` policy. _Policy Types_ - Azure > Turbot > Event Poller > Excluded Events

aws-sqs v5.15.0 - Check and enforce SQS SSE for queue encryption

Wed, 11 Dec 2024 09:00:00 GMT

_What's new?_ - Users can now check and enforce SQS SSE for queue encryption. To get started, configure the `AWS > SQS > Queue > Encryption at Rest` policy to one of the following values: `Check: SQS SSE`, `Check: SQS SSE or higher`, `Enforce: SQS SSE` or `Enforce: SQS SSE or higher`.

kubernetes v5.2.0 - Check if Kubernetes clusters are approved for use via Guardrails

Tue, 10 Dec 2024 09:00:00 GMT

_What's new?_ - Check if Kubernetes clusters are approved for use via Guardrails. To get started, set the `Kubernetes > Cluster > Approved > *` policies. _Control Types_ - Kubernetes > Cluster > Approved _Policy Types_ - Kubernetes > Cluster > Approved - Kubernetes > Cluster > Approved > Custom

azure-appservice v5.13.1 - The `HTTPS Only` control would sometime fail to enable the setting in Azure

Fri, 06 Dec 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > App Service > Function App > HTTPS Only` control would sometime fail to enable the setting in Azure. This is now fixed.

gcp-computeengine v5.19.2 - The `Serial Port Access` and `Block Project Wide SSH Keys` controls for Compute Engine Instances would sometimes go into an error state due to incorrect references to CMDB attributes

Thu, 05 Dec 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Compute Engine > Instance > Serial Port Access` and `GCP > Compute Engine > Instance > Block Project Wide SSH Keys` controls would sometimes go into an error state due to incorrect references to CMDB attributes. This is fixed and the controls will now work as expected.

azure-network v5.20.0 - Guardrails can now discover and manage Network resources across all supported regions in Azure

Wed, 04 Dec 2024 09:00:00 GMT

_What's new?_ - The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure. _Bug fixes_ - Guardrails would fail to delete unapproved ingress rules when the `Azure > Network > Network Security Group > Ingress Rules > Approved` policy was set to `Enforce: Delete unapproved`. This is now fixed.

azure-cosmosdb v5.8.0 - Guardrails can now discover and manage Cosmos DB resources across all supported regions in Azure

Wed, 04 Dec 2024 09:00:00 GMT

azure-appservice v5.13.0 - Guardrails can now discover and manage App Service resources across all supported regions in Azure

Wed, 04 Dec 2024 09:00:00 GMT

Tue, 03 Dec 2024 09:00:00 GMT

Thu, 28 Nov 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > IAM > Service Account Key > Active` control has been updated to use `validAfterTime` instead of `metadata.createTimestamp` to accurately evaluate the age of the resource.

azure-applicationinsights v5.9.0 - Guardrails can now discover and manage Application Insights resources across all supported regions in Azure

Thu, 28 Nov 2024 09:00:00 GMT

aws-rds v5.28.0 - Users can now check and delete DB clusters that are not approved for use if they lack encryption at rest

Thu, 28 Nov 2024 09:00:00 GMT

_What's new?_ - Users can now check and delete DB clusters that are not approved for use if they lack encryption at rest. To get started, set the `AWS > RDS > DB Cluster > Approved > Encryption at Rest > *` policies. _Policy Types_ - AWS > RDS > DB Cluster > Approved > Encryption at Rest - AWS > RDS > DB Cluster > Approved > Encryption at Rest > Customer Managed Key

aws v5.31.0 - Users can now check if their account spend is `On Target` per Budget

Tue, 26 Nov 2024 09:00:00 GMT

_What's new?_ - Users can now check if their account spend is `On Target` per Budget. To get started, set the `AWS > Account > Budget > Enabled` policy to `Check: Budget > State is On Target`.

Turbot Guardrails Enterprise (TE) v5.47.4 - Resolved an issue where reports pages could crash if certain information was null

Tue, 26 Nov 2024 09:00:00 GMT

_Bug fixes_ - UI - Resolved an issue where reports pages could crash if certain information was null _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.47.3 - Resolved issue with actor information handling

Mon, 25 Nov 2024 09:00:00 GMT

_Bug fixes_ - Server - Resolved an issue where actor information was not being passed correctly during the process execution, ensuring accurate tracking and processing of actor-related data. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-vpc-core v5.18.1 - The VPC Route CMDB control would go into an error state due to an incorrect use of a function from an internal node package

Mon, 25 Nov 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > Route > CMDB` control would go into an error state due to an incorrect use of a function from an internal node package. This is now fixed.

azure-storage v5.20.3 - The `createdBy` and `createTimestamp` details will now be stored correctly and consistently for storage accounts

Fri, 22 Nov 2024 09:00:00 GMT

_Bug fixes_ - Guardrails would sometimes update the `createdBy` details for storage accounts due to mishandled real-time update events. This issue has been fixed, and `createdBy` details will now be stored more reliably and consistently than before. - In a previous version, we inadvertently introduced a bug that prevented the `createTimestamp` details from being stored in the metadata of new storage accounts upserted in Guardrails CMDB. This issue has now been resolved, and `createTimestamp` details are now stored correctly and reliably.

azure v5.22.0 - Resource's metadata will now also include `createdBy` details in Guardrails CMDB

Wed, 20 Nov 2024 09:00:00 GMT

_What's new?_ - Resource's metadata will now also include `createdBy` details in Guardrails CMDB.

aws-vpc-security v5.11.1 - Updated internal Terraform mapping for Flow Log resource type to update flow logs correctly corresponding to updates in stacks

Wed, 20 Nov 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > VPC > Flow Logging` control would sometimes fail to update flow logs if the Max Aggregation Interval in the stack's source policy was updated. This is fixed and the stack control will now update such resources correctly, as expected.

aws-vpc-core v5.18.0 - Users can now configure the maximum aggregation interval in the Flow Logging control

Wed, 20 Nov 2024 09:00:00 GMT

_What's new?_ - Users can now configure the maximum aggregation interval in the `AWS > VPC > VPC > Flow Logging` control. To get started, set the `AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval` policy and/or `AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval` policy. _Policy Types_ - AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval - AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval

azure-sql v5.16.0 - Track and manage Managed Instance resources in Guardrails

Thu, 31 Oct 2024 09:00:00 GMT

_Resource Types_ - Azure > SQL > Managed Instance _Control Types_ - Azure > SQL > Managed Instance > Active - Azure > SQL > Managed Instance > Approved - Azure > SQL > Managed Instance > CMDB - Azure > SQL > Managed Instance > Discovery - Azure > SQL > Managed Instance > Tags _Policy Types_ - Azure > SQL > Managed Instance > Active - Azure > SQL > Managed Instance > Active > Age - Azure > SQL > Managed Instance > Active > Last Modified - Azure > SQL > Managed Instance > Approved - Azure > SQL > Managed Instance > Approved > Custom - Azure > SQL > Managed Instance > Approved > Regions - Azure > SQL > Managed Instance > Approved > Usage - Azure > SQL > Managed Instance > CMDB - Azure > SQL > Managed Instance > Regions - Azure > SQL > Managed Instance > Tags - Azure > SQL > Managed Instance > Tags > Template _Action Types_ - Azure > SQL > Managed Instance > Delete - Azure > SQL > Managed Instance > Router - Azure > SQL > Managed Instance > Set Tags

aws-cisv3-0 v5.0.2 - Section 1 controls now correctly target a User/Root instead of Credentials Report

Thu, 31 Oct 2024 09:00:00 GMT

_Bug fixes_ - Controls previously targeting the `AWS > IAM > Credential Report` resource type have now been updated to target either the `AWS > IAM > Root` or `AWS > IAM > User` resource types, depending on the specific control requirements. This adjustment more accurately aligns each control with the relevant resources, enabling more precise and targeted checks.

azure-securitycenter v5.5.2 - Auto Provisioning control is now deprecated and will move to an Invalid state if enforcements are applied

Wed, 30 Oct 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Security Center > Security Center > Auto Provisioning` control is now deprecated and will now move to an Invalid state if enforcements are applied. This follows the [deprecation plan announcement](https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#log-analytics-agent-autoprovisioning-experience---deprecation-plan) from Azure. The control will be removed in a future mod version. _Control Types_ _Renamed_ - Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated] _Policy Types_ _Renamed_ - Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated] _Action Types_ _Removed_ - Azure > Security Center > Security Center > Update Auto Provisioning

servicenow-kubernetes v5.5.0 - Added support for Import Set controls for various Kubernetes resource types

Fri, 25 Oct 2024 09:00:00 GMT

_What's new?_ _Control Types_ - Kubernetes > CronJob > ServiceNow > Import Set - Kubernetes > DaemonSet > ServiceNow > Import Set - Kubernetes > Ingress > ServiceNow > Import Set - Kubernetes > Job > ServiceNow > Import Set - Kubernetes > Persistent Volume > ServiceNow > Import Set - Kubernetes > ReplicationController > ServiceNow > Import Set - Kubernetes > StatefulSet > ServiceNow > Import Set _Policy Types_ - Kubernetes > CronJob > ServiceNow > Import Set - Kubernetes > CronJob > ServiceNow > Import Set > Archive Columns - Kubernetes > CronJob > ServiceNow > Import Set > Insert Mode - Kubernetes > CronJob > ServiceNow > Import Set > Record - Kubernetes > CronJob > ServiceNow > Import Set > Table Name - Kubernetes > DaemonSet > ServiceNow > Import Set - Kubernetes > DaemonSet > ServiceNow > Import Set > Archive Columns - Kubernetes > DaemonSet > ServiceNow > Import Set > Insert Mode - Kubernetes > DaemonSet > ServiceNow > Import Set > Record - Kubernetes > DaemonSet > ServiceNow > Import Set > Table Name - Kubernetes > Ingress > ServiceNow > Import Set - Kubernetes > Ingress > ServiceNow > Import Set > Archive Columns - Kubernetes > Ingress > ServiceNow > Import Set > Insert Mode - Kubernetes > Ingress > ServiceNow > Import Set > Record - Kubernetes > Ingress > ServiceNow > Import Set > Table Name - Kubernetes > Job > ServiceNow > Import Set - Kubernetes > Job > ServiceNow > Import Set > Archive Columns - Kubernetes > Job > ServiceNow > Import Set > Insert Mode - Kubernetes > Job > ServiceNow > Import Set > Record - Kubernetes > Job > ServiceNow > Import Set > Table Name - Kubernetes > Persistent Volume > ServiceNow > Import Set - Kubernetes > Persistent Volume > ServiceNow > Import Set > Archive Columns - Kubernetes > Persistent Volume > ServiceNow > Import Set > Insert Mode - Kubernetes > Persistent Volume > ServiceNow > Import Set > Record - Kubernetes > Persistent Volume > ServiceNow > Import Set > Table Name - Kubernetes > ReplicationController > ServiceNow > Import Set - Kubernetes > ReplicationController > ServiceNow > Import Set > Archive Columns - Kubernetes > ReplicationController > ServiceNow > Import Set > Insert Mode - Kubernetes > ReplicationController > ServiceNow > Import Set > Record - Kubernetes > ReplicationController > ServiceNow > Import Set > Table Name - Kubernetes > StatefulSet > ServiceNow > Import Set - Kubernetes > StatefulSet > ServiceNow > Import Set > Archive Columns - Kubernetes > StatefulSet > ServiceNow > Import Set > Insert Mode - Kubernetes > StatefulSet > ServiceNow > Import Set > Record - Kubernetes > StatefulSet > ServiceNow > Import Set > Table Name

servicenow-aws-s3 v5.2.1 - Import Set control will not transform JSON objects to strings while syncing data to ServiceNow

Fri, 25 Oct 2024 09:00:00 GMT

_Bug fixes_ - In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

azure v5.21.1 - Removed unused Node package dependencies for Tenant lambda functions

Fri, 25 Oct 2024 09:00:00 GMT

Thu, 24 Oct 2024 09:00:00 GMT

_What's new?_ _Policy Types_ - GCP > Compute Engine > Disk > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Health Check > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Image > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Instance > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Node Group > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Node template > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Project > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Insert Mode - GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Insert Mode _Bug fixes_ - In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

servicenow-azure-network v5.4.1 - Import Set control will not transform JSON objects to strings while syncing data to ServiceNow

Thu, 24 Oct 2024 09:00:00 GMT

servicenow-azure-compute v5.2.1 - Import Set control will not transform JSON objects to strings while syncing data to ServiceNow

Thu, 24 Oct 2024 09:00:00 GMT

Wed, 23 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the new authentication method to discover and manage Automation resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

servicenow-azure-storage v5.4.1 - Import Set control will not transform JSON objects to strings while syncing data to ServiceNow

Tue, 22 Oct 2024 09:00:00 GMT

servicenow-azure v5.6.1 - Import Set control will not transform JSON objects to strings while syncing data to ServiceNow

Mon, 21 Oct 2024 09:00:00 GMT

_Bug fixes_ - In v5.3.1, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

azure-keyvault v5.14.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Key Vault resources in Guardrails

Mon, 21 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Key Vault resources in Guardrails. This release includes breaking changes in the CMDB data for key, and secret. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below: KeyVault > Vault Added : - `enableSoftDelete` - `publicNetworkAccess` - `enableRbacAuthorization` KeyVault > Key Added : - `hsmPlatform` Removed: - `key.e` - `key.n` KeyVault > Secret Modified : - `ID` property does not contain the secret version. Removed: - `expires` - `updated` - `created` _Bug fixes_ - The `Azure > Key Vault > Key > CMDB` control would go into an error state while fetching key rotation policy details for managed keys. The control will no longer attempt to fetch the key rotation policy details for such keys and will work as expected. - Improved descriptions for various resource types to ensure they are clearer and more helpful.

Turbot Guardrails Enterprise Database (TED) v1.45.0 - Added support for PostgresSQL 16

Fri, 18 Oct 2024 09:00:00 GMT

_What's new?_ - Added support for PostgresSQL 16. - Added support for custom hive key. - Default database engine version changed to 15.7. - Default cache engine version set to 7.1. - M4 and R4 instance types removed from the supported database instance list due to deprecation.

Turbot Guardrails Enterprise (TE) v5.47.2 - Feature enhancements and bug fixes

Fri, 18 Oct 2024 09:00:00 GMT

_What's new?_ - Server - Introduced `Activity Retention` feature for Smart Retention control to enhance version and data management. - UI - Support for downloading AWS CloudFormation templates directly from the AWS import page. _Bug fixes_ - Server - Resolved controls getting stuck when `Notify` or `Ignore` keywords were missing in the notification rules. - UI - The `+` button for adding permissions now correctly applies the appropriate attributes. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot v5.46.0 - Added policy to set Activity Retention

Fri, 18 Oct 2024 09:00:00 GMT

_What's new?_ - Policy Types: - Turbot > Workspace > Retention > Activity Purge Limit. - Turbot > Workspace > Retention > Activity Retention. - Control Types: - Add support to `Turbot > Smart Retention` control to enhance version and data management. _Requirements_ - TE: 5.35.4

azure-mysql v5.12.0 - Check if flexible servers have TLS version set to 1.2 or higher

Fri, 18 Oct 2024 09:00:00 GMT

_What's new?_ - You can now check if flexible servers have a TLS version setting of 1.2 or higher enabled. To get started, set the `Azure > MySQL > Flexible Server > Set Minimum TLS Version` policy to `Check: TLS 1.2 or higher`.

azure v5.21.0 - Controls and Actions now use latest Azure SDK versions to discover and manage resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage resources in Guardrails. This release includes breaking changes in the CMDB data for Azure. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below. Azure > Management Group Modified : - The value of `type` property is updated as `type: Microsoft.Management/managementGroups`, earlier it was `/providers/Microsoft.Management/managementGroups`

azure-sqlvirtualmachine v5.1.0 - Controls and Actions now use latest Azure SDK versions to discover and manage SQL Virtual Machine resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the new authentication method to discover and manage SQL Virtual Machine resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-sql v5.15.0 - Controls and Actions now use latest Azure SDK versions to discover and manage SQL resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SQL resources in Guardrails. This release includes breaking changes in the CMDB data for server, database, and elasticpool. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below: Renamed: - `transparentDataEncryption.status` to `transparentDataEncryption.state` - `databaseThreatDetectionPolicy` to `databaseSecurityAlertPolicy` Added: Azure SQL > Server - Added `administrators` block - `isManagedIdentityInUse ` - `autoRotationEnabled ` - `externalGovernanceStatus ` - `minimalTlsVersion` - `privateEndpointConnections` - `publicNetworkAccess` - `restrictOutboundNetworkAccess` - `serverAzureADAdministrator.azureADOnlyAuthentication` Azure SQL > Database - `availabilityZone` - `currentBackupStorageRedundancy` - `databaseSecurityAlertPolicy. creationTime` - `transparentDataEncryption.location` - `isInfraEncryptionEnabled` - `isLedgerOn` - `maintenanceConfigurationId` - `requestedBackupStorageRedundancy` - `maintenanceConfigurationId` Azure SQL > ElasticPool - `maintenanceConfigurationId` Modified: - The value of the attribute `serverAzureADAdministrator.name` has been changed from string (`activeDirectory`) to string (`ActiveDirectory`). - The data type of the attribute `databaseThreatDetectionPolicy.disabledAlerts` has been changed from string (`""`) to object (`[]`). - The data type of the attribute `databaseThreatDetectionPolicy.emailAddresses` has been changed from string (`""`) to object (`[]`). - The data type of the attribute `databaseThreatDetectionPolicy.emailAccountAdmins` has been changed from string (`Disabled/Enabled`) to boolean (`false/true`). - The data type of the attribute `disabledAlerts` has been changed from string (`""`) to object (`[]`). Removed: - `databaseThreatDetectionPolicy.useServerDefault` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-provider v5.13.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Resource Providers in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Resource Providers in Guardrails.

azure-network v5.19.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Network resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Network resources in Guardrails. Network > NetworkInterface Added : - `auxiliaryMode` - `auxiliarySku` - `kind` - `disableTcpStateTracking` Network > PrivateDNSZone Added : - `internalId` Network > VirtualNetworkGateway Added : - `allowVirtualWanTraffic` - `allowRemoteVnetTraffic` Modified : - `activeActive` property updated as `active`

azure-monitor v5.8.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Monitor resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Monitor resources in Guardrails. This release includes changes in the CMDB data for action groups. Added: - `tags` - `kind` _Resource Types_ - Azure > Monitor > Metric Alert _Control Types_ - Azure > Monitor > Action Group > Tags - Azure > Monitor > Metric Alert > Active - Azure > Monitor > Metric Alert > Approved - Azure > Monitor > Metric Alert > CMDB - Azure > Monitor > Metric Alert > Discovery - Azure > Monitor > Metric Alert > Tags _Policy Types_ - Azure > Monitor > Action Group > Tags - Azure > Monitor > Action Group > Tags > Template - Azure > Monitor > Metric Alert > Active - Azure > Monitor > Metric Alert > Active > Age - Azure > Monitor > Metric Alert > Active > Last Modified - Azure > Monitor > Metric Alert > Approved - Azure > Monitor > Metric Alert > Approved > Custom - Azure > Monitor > Metric Alert > Approved > Usage - Azure > Monitor > Metric Alert > CMDB - Azure > Monitor > Metric Alert > Tags - Azure > Monitor > Metric Alert > Tags > Template - Azure > Monitor > Tags Template [Default] _Action Types_ - Azure > Monitor > Action Group > Set Tags - Azure > Monitor > Metric Alert > Delete - Azure > Monitor > Metric Alert > Router - Azure > Monitor > Metric Alert > Set Tags _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-managedidentity v5.1.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Managed Identity resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Managed Identity resources in Guardrails. This release includes changes in the CMDB data as below. Removed: - `clientSecretUrl`

azure-loganalytics v5.9.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Log Analytics resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Log Analytics resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-iam v5.12.0 - Controls and Actions now use latest Azure SDK versions to discover and manage IAM resources in Guardrails

Thu, 17 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage IAM resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-firewall v5.7.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Firewall resources in Guardrails

Wed, 16 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Firewall resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-cosmosdb v5.7.0 - Controls and Actions now use latest Azure SDK versions to discover and manage CosmosDB resources in Guardrails

Wed, 16 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage CosmosDB resources in Guardrails. Added: `createMode` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

aws v5.30.5 - Budget control will now avoid making API calls for US Gov Cloud Accounts and rely on State policy being updated periodically

Wed, 16 Oct 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > Account > Budget > Budget` control would enter an error state for US Gov cloud accounts because the budget APIs are not supported for these accounts. We have updated the control to avoid making these API calls and instead rely on the `AWS > Account > Budget > State` policy being updated periodically, allowing the control to evaluate the outcome correctly.

servicenow-kubernetes v5.4.0 - Configure CI Relationships for Various Kubernetes Resources in ServiceNow

Tue, 15 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for various Kubernetes resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively. _Control Types_ - Kubernetes > Cluster > ServiceNow > Relationships - Kubernetes > ConfigMap > ServiceNow > Relationships - Kubernetes > CronJob > ServiceNow > Relationships - Kubernetes > DaemonSet > ServiceNow > Relationships - Kubernetes > Deployment > ServiceNow > Relationships - Kubernetes > Ingress > ServiceNow > Relationships - Kubernetes > Job > ServiceNow > Relationships - Kubernetes > Namespace > ServiceNow > Relationships - Kubernetes > Node > ServiceNow > Relationships - Kubernetes > Persistent Volume > ServiceNow > Relationships - Kubernetes > Pod > ServiceNow > Relationships - Kubernetes > ReplicaSet > ServiceNow > Relationships - Kubernetes > ReplicationController > ServiceNow > Relationships - Kubernetes > Service > ServiceNow > Relationships - Kubernetes > StatefulSet > ServiceNow > Relationships _Policy Types_ - Kubernetes > Cluster > ServiceNow > Relationships - Kubernetes > Cluster > ServiceNow > Relationships > Template - Kubernetes > ConfigMap > ServiceNow > Relationships - Kubernetes > ConfigMap > ServiceNow > Relationships > Template - Kubernetes > CronJob > ServiceNow > Relationships - Kubernetes > CronJob > ServiceNow > Relationships > Template - Kubernetes > DaemonSet > ServiceNow > Relationships - Kubernetes > DaemonSet > ServiceNow > Relationships > Template - Kubernetes > Deployment > ServiceNow > Relationships - Kubernetes > Deployment > ServiceNow > Relationships > Template - Kubernetes > Ingress > ServiceNow > Relationships - Kubernetes > Ingress > ServiceNow > Relationships > Template - Kubernetes > Job > ServiceNow > Relationships - Kubernetes > Job > ServiceNow > Relationships > Template - Kubernetes > Namespace > ServiceNow > Relationships - Kubernetes > Namespace > ServiceNow > Relationships > Template - Kubernetes > Node > ServiceNow > Relationships - Kubernetes > Node > ServiceNow > Relationships > Template - Kubernetes > Persistent Volume > ServiceNow > Relationships - Kubernetes > Persistent Volume > ServiceNow > Relationships > Template - Kubernetes > Pod > ServiceNow > Relationships - Kubernetes > Pod > ServiceNow > Relationships > Template - Kubernetes > ReplicaSet > ServiceNow > Relationships - Kubernetes > ReplicaSet > ServiceNow > Relationships > Template - Kubernetes > ReplicationController > ServiceNow > Relationships - Kubernetes > ReplicationController > ServiceNow > Relationships > Template - Kubernetes > Service > ServiceNow > Relationships - Kubernetes > Service > ServiceNow > Relationships > Template - Kubernetes > StatefulSet > ServiceNow > Relationships - Kubernetes > StatefulSet > ServiceNow > Relationships > Template

azure-loadbalancer v5.8.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Load Balancer resources in Guardrails

Tue, 15 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Load Balancer resources in Guardrails.

servicenow-gcp v5.7.0 - Configure CI Relationships for Projects in ServiceNow

Mon, 14 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for projects in ServiceNow. To get started, set the `GCP > Project > ServiceNow > Relationships > *` policies. _Control Types_ - GCP > Project > ServiceNow > Relationships _Policy Types_ - GCP > Project > ServiceNow > Relationships - GCP > Project > ServiceNow > Relationships > Template

servicenow-azure v5.6.0 - Configure CI Relationships for Subscriptions in ServiceNow

Mon, 14 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for subscriptions in ServiceNow. To get started, set the `Azure > Subscription > ServiceNow > Relationships > *` policies. _Control Types_ - Azure > Subscription > ServiceNow > Relationships _Policy Types_ - Azure > Subscription > ServiceNow > Relationships - Azure > Subscription > ServiceNow > Relationships > Template

servicenow-aws v5.3.0 - Configure CI Relationships for Accounts in ServiceNow

Mon, 14 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for accounts in ServiceNow. To get started, set the `AWS > Account > ServiceNow > Relationships > *` policies. _Control Types_ - AWS > Account > ServiceNow > Relationships _Policy Types_ - AWS > Account > ServiceNow > Relationships - AWS > Account > ServiceNow > Relationships > Template

azure-dns v5.9.0 - Controls and Actions now use latest Azure SDK versions to discover and manage DNS resources in Guardrails

Mon, 14 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage DNS resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below. Removed: - `tTL` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-databricks v5.4.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Databricks resources in Guardrails

Mon, 14 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Databricks resources in Guardrails. Added: - `createdBy` - `updatedBy` - `systemData` - `createdDateTime` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-containerregistry v5.1.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Container Registry resources in Guardrails

Mon, 14 Oct 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Container Registry resources in Guardrails. Added: - `softDeletePolicy` - `azureADAuthenticationAsArmPolicy`

servicenow-gcp-network v5.2.0 - Configure CI Relationships for Various Network Resources in ServiceNow

Wed, 09 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively. _Control Types_ - GCP > Network > Firewall > ServiceNow > Relationships - GCP > Network > Forwarding Rule > ServiceNow > Relationships - GCP > Network > Network > ServiceNow > Relationships - GCP > Network > Route > ServiceNow > Relationships - GCP > Network > Router > ServiceNow > Relationships - GCP > Network > Subnetwork > ServiceNow > Relationships - GCP > Network > Target Pool > ServiceNow > Relationships - GCP > Network > Target VPN Gateway > ServiceNow > Relationships _Policy Types_ - GCP > Network > Firewall > ServiceNow > Relationships - GCP > Network > Firewall > ServiceNow > Relationships > Template - GCP > Network > Forwarding Rule > ServiceNow > Relationships - GCP > Network > Forwarding Rule > ServiceNow > Relationships > Template - GCP > Network > Network > ServiceNow > Relationships - GCP > Network > Network > ServiceNow > Relationships > Template - GCP > Network > Route > ServiceNow > Relationships - GCP > Network > Route > ServiceNow > Relationships > Template - GCP > Network > Router > ServiceNow > Relationships - GCP > Network > Router > ServiceNow > Relationships > Template - GCP > Network > Subnetwork > ServiceNow > Relationships - GCP > Network > Subnetwork > ServiceNow > Relationships > Template - GCP > Network > Target Pool > ServiceNow > Relationships - GCP > Network > Target Pool > ServiceNow > Relationships > Template - GCP > Network > Target VPN Gateway > ServiceNow > Relationships - GCP > Network > Target VPN Gateway > ServiceNow > Relationships > Template

servicenow-gcp-computeengine v5.3.0 - Configure CI Relationships for Various Compute Engine Resources in ServiceNow

Wed, 09 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for various compute engine resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively. _Control Types_ - GCP > Compute Engine > Disk > ServiceNow > Relationships - GCP > Compute Engine > Image > ServiceNow > Relationships - GCP > Compute Engine > Instance > ServiceNow > Relationships - GCP > Compute Engine > Node Group > ServiceNow > Relationships - GCP > Compute Engine > Node template > ServiceNow > Relationships - GCP > Compute Engine > Snapshot > ServiceNow > Relationships _Policy Types_ - GCP > Compute Engine > Disk > ServiceNow > Relationships - GCP > Compute Engine > Disk > ServiceNow > Relationships > Template - GCP > Compute Engine > Image > ServiceNow > Relationships - GCP > Compute Engine > Image > ServiceNow > Relationships > Template - GCP > Compute Engine > Instance > ServiceNow > Relationships - GCP > Compute Engine > Instance > ServiceNow > Relationships > Template - GCP > Compute Engine > Node Group > ServiceNow > Relationships - GCP > Compute Engine > Node Group > ServiceNow > Relationships > Template - GCP > Compute Engine > Node template > ServiceNow > Relationships - GCP > Compute Engine > Node template > ServiceNow > Relationships > Template - GCP > Compute Engine > Snapshot > ServiceNow > Relationships - GCP > Compute Engine > Snapshot > ServiceNow > Relationships > Template

servicenow-azure-network v5.4.0 - Configure CI Relationships for Various Network Resources in ServiceNow

Wed, 09 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively. _Control Types_ - Azure > Network > Application Security Group > ServiceNow > Import Set - Azure > Network > Application Security Group > ServiceNow > Relationships - Azure > Network > Express Route Circuits > ServiceNow > Import Set - Azure > Network > Network Interface > ServiceNow > Import Set - Azure > Network > Network Interface > ServiceNow > Relationships - Azure > Network > Network Security Group > ServiceNow > Relationships - Azure > Network > Private DNS Zones > ServiceNow > Import Set - Azure > Network > Private Endpoints > ServiceNow > Import Set - Azure > Network > Public IP Address > ServiceNow > Import Set - Azure > Network > Public IP Address > ServiceNow > Relationships - Azure > Network > Route Table > ServiceNow > Import Set - Azure > Network > Route Table > ServiceNow > Relationships - Azure > Network > Subnet > ServiceNow > Import Set - Azure > Network > Subnet > ServiceNow > Relationships - Azure > Network > Virtual Network > ServiceNow > Import Set - Azure > Network > Virtual Network > ServiceNow > Relationships - Azure > Network > Virtual Network Gateway > ServiceNow > Import Set - Azure > Network > Virtual Network Gateway > ServiceNow > Relationships _Policy Types_ - Azure > Network > Application Security Group > ServiceNow > Import Set - Azure > Network > Application Security Group > ServiceNow > Import Set > Archive Columns - Azure > Network > Application Security Group > ServiceNow > Import Set > Insert Mode - Azure > Network > Application Security Group > ServiceNow > Import Set > Record - Azure > Network > Application Security Group > ServiceNow > Import Set > Table Name - Azure > Network > Application Security Group > ServiceNow > Relationships - Azure > Network > Application Security Group > ServiceNow > Relationships > Template - Azure > Network > Express Route Circuits > ServiceNow > Import Set - Azure > Network > Express Route Circuits > ServiceNow > Import Set > Archive Columns - Azure > Network > Express Route Circuits > ServiceNow > Import Set > Insert Mode - Azure > Network > Express Route Circuits > ServiceNow > Import Set > Record - Azure > Network > Express Route Circuits > ServiceNow > Import Set > Table Name - Azure > Network > Network Interface > ServiceNow > Import Set - Azure > Network > Network Interface > ServiceNow > Import Set > Archive Columns - Azure > Network > Network Interface > ServiceNow > Import Set > Insert Mode - Azure > Network > Network Interface > ServiceNow > Import Set > Record - Azure > Network > Network Interface > ServiceNow > Import Set > Table Name - Azure > Network > Network Interface > ServiceNow > Relationships - Azure > Network > Network Interface > ServiceNow > Relationships > Template - Azure > Network > Network Security Group > ServiceNow > Import Set > Insert Mode - Azure > Network > Network Security Group > ServiceNow > Relationships - Azure > Network > Network Security Group > ServiceNow > Relationships > Template - Azure > Network > Private DNS Zones > ServiceNow > Import Set - Azure > Network > Private DNS Zones > ServiceNow > Import Set > Archive Columns - Azure > Network > Private DNS Zones > ServiceNow > Import Set > Insert Mode - Azure > Network > Private DNS Zones > ServiceNow > Import Set > Record - Azure > Network > Private DNS Zones > ServiceNow > Import Set > Table Name - Azure > Network > Private Endpoints > ServiceNow > Import Set - Azure > Network > Private Endpoints > ServiceNow > Import Set > Archive Columns - Azure > Network > Private Endpoints > ServiceNow > Import Set > Insert Mode - Azure > Network > Private Endpoints > ServiceNow > Import Set > Record - Azure > Network > Private Endpoints > ServiceNow > Import Set > Table Name - Azure > Network > Public IP Address > ServiceNow > Import Set - Azure > Network > Public IP Address > ServiceNow > Import Set > Archive Columns - Azure > Network > Public IP Address > ServiceNow > Import Set > Insert Mode - Azure > Network > Public IP Address > ServiceNow > Import Set > Record - Azure > Network > Public IP Address > ServiceNow > Import Set > Table Name - Azure > Network > Public IP Address > ServiceNow > Relationships - Azure > Network > Public IP Address > ServiceNow > Relationships > Template - Azure > Network > Route Table > ServiceNow > Import Set - Azure > Network > Route Table > ServiceNow > Import Set > Archive Columns - Azure > Network > Route Table > ServiceNow > Import Set > Insert Mode - Azure > Network > Route Table > ServiceNow > Import Set > Record - Azure > Network > Route Table > ServiceNow > Import Set > Table Name - Azure > Network > Route Table > ServiceNow > Relationships - Azure > Network > Route Table > ServiceNow > Relationships > Template - Azure > Network > Subnet > ServiceNow > Import Set - Azure > Network > Subnet > ServiceNow > Import Set > Archive Columns - Azure > Network > Subnet > ServiceNow > Import Set > Insert Mode - Azure > Network > Subnet > ServiceNow > Import Set > Record - Azure > Network > Subnet > ServiceNow > Import Set > Table Name - Azure > Network > Subnet > ServiceNow > Relationships - Azure > Network > Subnet > ServiceNow > Relationships > Template - Azure > Network > Virtual Network > ServiceNow > Import Set - Azure > Network > Virtual Network > ServiceNow > Import Set > Archive Columns - Azure > Network > Virtual Network > ServiceNow > Import Set > Insert Mode - Azure > Network > Virtual Network > ServiceNow > Import Set > Record - Azure > Network > Virtual Network > ServiceNow > Import Set > Table Name - Azure > Network > Virtual Network > ServiceNow > Relationships - Azure > Network > Virtual Network > ServiceNow > Relationships > Template - Azure > Network > Virtual Network Gateway > ServiceNow > Import Set - Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Archive Columns - Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Insert Mode - Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Record - Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Table Name - Azure > Network > Virtual Network Gateway > ServiceNow > Relationships - Azure > Network > Virtual Network Gateway > ServiceNow > Relationships > Template

servicenow-azure-compute v5.2.0 - Configure CI Relationships for Various Compute Resources in ServiceNow

Wed, 09 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for various compute resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively. _Control Types_ - Azure > Compute > Availability Set > ServiceNow > Relationships - Azure > Compute > Disk > ServiceNow > Relationships - Azure > Compute > Image > ServiceNow > Relationships - Azure > Compute > Snapshot > ServiceNow > Relationships - Azure > Compute > Virtual Machine > ServiceNow > Relationships _Policy Types_ - Azure > Compute > Availability Set > ServiceNow > Import Set > Insert Mode - Azure > Compute > Availability Set > ServiceNow > Relationships - Azure > Compute > Availability Set > ServiceNow > Relationships > Template - Azure > Compute > Disk > ServiceNow > Import Set > Insert Mode - Azure > Compute > Disk > ServiceNow > Relationships - Azure > Compute > Disk > ServiceNow > Relationships > Template - Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Insert Mode - Azure > Compute > Image > ServiceNow > Import Set > Insert Mode - Azure > Compute > Image > ServiceNow > Relationships - Azure > Compute > Image > ServiceNow > Relationships > Template - Azure > Compute > Snapshot > ServiceNow > Import Set > Insert Mode - Azure > Compute > Snapshot > ServiceNow > Relationships - Azure > Compute > Snapshot > ServiceNow > Relationships > Template - Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Insert Mode - Azure > Compute > Virtual Machine > ServiceNow > Import Set > Insert Mode - Azure > Compute > Virtual Machine > ServiceNow > Relationships - Azure > Compute > Virtual Machine > ServiceNow > Relationships > Template - Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Insert Mode

servicenow-gcp v5.6.0 - Configure CI Relationships for Global Regions, Multi-Regions, Regions and Zones in ServiceNow

Tue, 08 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for global regions, multi-regions, regions and zones in ServiceNow. To get started, set the `GCP > Global Region > ServiceNow > Relationships > *`, `GCP > Multi-Region > ServiceNow > Relationships > *`, `GCP > Region > ServiceNow > Relationships > *` and `GCP > Zone > ServiceNow > Relationships > *` policies respectively. _Control Types_ - GCP > Global Region > ServiceNow > Relationships - GCP > Multi-Region > ServiceNow > Relationships - GCP > Region > ServiceNow > Relationships - GCP > Zone > ServiceNow > Relationships _Policy Types_ - GCP > Global Region > ServiceNow > Relationships - GCP > Global Region > ServiceNow > Relationships > Template - GCP > Multi-Region > ServiceNow > Relationships - GCP > Multi-Region > ServiceNow > Relationships > Template - GCP > Region > ServiceNow > Relationships - GCP > Region > ServiceNow > Relationships > Template - GCP > Zone > ServiceNow > Relationships - GCP > Zone > ServiceNow > Relationships > Template

servicenow-gcp-storage v5.5.0 - Configure CI Relationships for Buckets and Objects in ServiceNow

Tue, 08 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for buckets and objects in ServiceNow. To get started, set the `GCP > Storage > Bucket > ServiceNow > Relationships > *` and `GCP > Storage > Object > ServiceNow > Relationships > *` policies respectively. _Control Types_ - GCP > Storage > Bucket > ServiceNow > Relationships - GCP > Storage > Object > ServiceNow > Relationships _Policy Types_ - GCP > Storage > Bucket > ServiceNow > Relationships - GCP > Storage > Bucket > ServiceNow > Relationships > Template - GCP > Storage > Object > ServiceNow > Relationships - GCP > Storage > Object > ServiceNow > Relationships > Template

servicenow-azure v5.5.0 - Configure CI Relationships for Resource Groups in ServiceNow

Tue, 08 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for resource groups in ServiceNow. To get started, set the `Azure > Resource Group > ServiceNow > Relationships > *` policies. _Control Types_ - Azure > Resource Group > ServiceNow > Relationships _Policy Types_ - Azure > Resource Group > ServiceNow > Relationships - Azure > Resource Group > ServiceNow > Relationships > Template

servicenow-azure-storage v5.4.0 - Configure CI Relationships for Containers, File Shares, Queues and Storage Accounts in ServiceNow

Tue, 08 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for containers, file shares, queues and storage accounts in ServiceNow. To get started, set the `Azure > Storage > Container > ServiceNow > Relationships > *`, `Azure > Storage > File Share > ServiceNow > Relationships > *`, `Azure > Storage > Queue > ServiceNow > Relationships > *` and `Azure > Storage > Storage Account > ServiceNow > Relationships > *` policies respectively. _Control Types_ - Azure > Storage > Container > ServiceNow > Relationships - Azure > Storage > FileShare > ServiceNow > Relationships - Azure > Storage > Queue > ServiceNow > Relationships - Azure > Storage > Storage Account > ServiceNow > Relationships _Policy Types_ - Azure > Storage > Container > ServiceNow > Import Set > Insert Mode - Azure > Storage > Container > ServiceNow > Relationships - Azure > Storage > Container > ServiceNow > Relationships > Template - Azure > Storage > FileShare > ServiceNow > Import Set > Insert Mode - Azure > Storage > FileShare > ServiceNow > Relationships - Azure > Storage > FileShare > ServiceNow > Relationships > Template - Azure > Storage > Queue > ServiceNow > Import Set > Insert Mode - Azure > Storage > Queue > ServiceNow > Relationships - Azure > Storage > Queue > ServiceNow > Relationships > Template - Azure > Storage > Storage Account > ServiceNow > Import Set > Insert Mode - Azure > Storage > Storage Account > ServiceNow > Relationships - Azure > Storage > Storage Account > ServiceNow > Relationships > Template

servicenow-aws-vpc-internet v5.1.0 - Configure CI Relationships for Elastic IPs, Internet Gateways and NAT Gateways in ServiceNow

Tue, 08 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for elastic IPs, internet gateways and NAT gateways in ServiceNow. To get started, set the `AWS > VPC > Elastic IP > ServiceNow > Relationships > *`, `AWS > VPC > Internet Gateway > ServiceNow > Relationships > *` and `AWS > VPC > NAT Gateway > ServiceNow > Relationships > *` policies respectively. _Control Types_ - AWS > VPC > Elastic IP > ServiceNow > Relationships - AWS > VPC > Internet Gateway > ServiceNow - AWS > VPC > Internet Gateway > ServiceNow > Configuration Item - AWS > VPC > Internet Gateway > ServiceNow > Relationships - AWS > VPC > Internet Gateway > ServiceNow > Table - AWS > VPC > NAT Gateway > ServiceNow - AWS > VPC > NAT Gateway > ServiceNow > Configuration Item - AWS > VPC > NAT Gateway > ServiceNow > Relationships - AWS > VPC > NAT Gateway > ServiceNow > Table _Policy Types_ - AWS > VPC > Elastic IP > ServiceNow > Relationships - AWS > VPC > Elastic IP > ServiceNow > Relationships > Template - AWS > VPC > Internet Gateway > ServiceNow - AWS > VPC > Internet Gateway > ServiceNow > Configuration Item - AWS > VPC > Internet Gateway > ServiceNow > Configuration Item > Record - AWS > VPC > Internet Gateway > ServiceNow > Configuration Item > Table Definition - AWS > VPC > Internet Gateway > ServiceNow > Relationships - AWS > VPC > Internet Gateway > ServiceNow > Relationships > Template - AWS > VPC > Internet Gateway > ServiceNow > Table - AWS > VPC > Internet Gateway > ServiceNow > Table > Definition - AWS > VPC > NAT Gateway > ServiceNow - AWS > VPC > NAT Gateway > ServiceNow > Configuration Item - AWS > VPC > NAT Gateway > ServiceNow > Configuration Item > Record - AWS > VPC > NAT Gateway > ServiceNow > Configuration Item > Table Definition - AWS > VPC > NAT Gateway > ServiceNow > Relationships - AWS > VPC > NAT Gateway > ServiceNow > Relationships > Template - AWS > VPC > NAT Gateway > ServiceNow > Table - AWS > VPC > NAT Gateway > ServiceNow > Table > Definition

servicenow-aws-vpc-connect v5.0.0 is now available

Tue, 08 Oct 2024 09:00:00 GMT

_Control Types_ - AWS > VPC > Customer Gateway > ServiceNow - AWS > VPC > Customer Gateway > ServiceNow > Configuration Item - AWS > VPC > Customer Gateway > ServiceNow > Relationships - AWS > VPC > Customer Gateway > ServiceNow > Table - AWS > VPC > Transit Gateway > ServiceNow - AWS > VPC > Transit Gateway > ServiceNow > Configuration Item - AWS > VPC > Transit Gateway > ServiceNow > Relationships - AWS > VPC > Transit Gateway > ServiceNow > Table - AWS > VPC > VPN Gateway > ServiceNow - AWS > VPC > VPN Gateway > ServiceNow > Configuration Item - AWS > VPC > VPN Gateway > ServiceNow > Relationships - AWS > VPC > VPN Gateway > ServiceNow > Table _Policy Types_ - AWS > VPC > Customer Gateway > ServiceNow - AWS > VPC > Customer Gateway > ServiceNow > Configuration Item - AWS > VPC > Customer Gateway > ServiceNow > Configuration Item > Record - AWS > VPC > Customer Gateway > ServiceNow > Configuration Item > Table Definition - AWS > VPC > Customer Gateway > ServiceNow > Relationships - AWS > VPC > Customer Gateway > ServiceNow > Relationships > Template - AWS > VPC > Customer Gateway > ServiceNow > Table - AWS > VPC > Customer Gateway > ServiceNow > Table > Definition - AWS > VPC > Transit Gateway > ServiceNow - AWS > VPC > Transit Gateway > ServiceNow > Configuration Item - AWS > VPC > Transit Gateway > ServiceNow > Configuration Item > Record - AWS > VPC > Transit Gateway > ServiceNow > Configuration Item > Table Definition - AWS > VPC > Transit Gateway > ServiceNow > Relationships - AWS > VPC > Transit Gateway > ServiceNow > Relationships > Template - AWS > VPC > Transit Gateway > ServiceNow > Table - AWS > VPC > Transit Gateway > ServiceNow > Table > Definition - AWS > VPC > VPN Gateway > ServiceNow - AWS > VPC > VPN Gateway > ServiceNow > Configuration Item - AWS > VPC > VPN Gateway > ServiceNow > Configuration Item > Record - AWS > VPC > VPN Gateway > ServiceNow > Configuration Item > Table Definition - AWS > VPC > VPN Gateway > ServiceNow > Relationships - AWS > VPC > VPN Gateway > ServiceNow > Relationships > Template - AWS > VPC > VPN Gateway > ServiceNow > Table - AWS > VPC > VPN Gateway > ServiceNow > Table > Definition

servicenow-aws-ec2 v5.1.0 - Configure CI Relationships for AMIs, Instances, Key Pairs, Network Interfaces, Snapshots and Volumes in ServiceNow

Tue, 08 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for AMIs, instances, key pairs, network interfaces, snapshots and volumes in ServiceNow. To get started, set the `AWS > EC2 > AMI > ServiceNow > Relationships > *`, `AWS > EC2 > Instance > ServiceNow > Relationships > *`, `AWS > EC2 > Key Pair > ServiceNow > Relationships > *`, `AWS > EC2 > Network Interface > ServiceNow > Relationships > *`, `AWS > EC2 > Snapshot > ServiceNow > Relationships > *` and `AWS > EC2 > Volume > ServiceNow > Relationships > *` policies respectively. _Control Types_ - AWS > EC2 > AMI > ServiceNow - AWS > EC2 > AMI > ServiceNow > Configuration Item - AWS > EC2 > AMI > ServiceNow > Relationships - AWS > EC2 > AMI > ServiceNow > Table - AWS > EC2 > Instance > ServiceNow > Relationships - AWS > EC2 > Key Pair > ServiceNow - AWS > EC2 > Key Pair > ServiceNow > Configuration Item - AWS > EC2 > Key Pair > ServiceNow > Relationships - AWS > EC2 > Key Pair > ServiceNow > Table - AWS > EC2 > Network Interface > ServiceNow - AWS > EC2 > Network Interface > ServiceNow > Configuration Item - AWS > EC2 > Network Interface > ServiceNow > Relationships - AWS > EC2 > Network Interface > ServiceNow > Table - AWS > EC2 > Snapshot > ServiceNow > Relationships - AWS > EC2 > Volume > ServiceNow > Relationships _Policy Types_ - AWS > EC2 > AMI > ServiceNow - AWS > EC2 > AMI > ServiceNow > Configuration Item - AWS > EC2 > AMI > ServiceNow > Configuration Item > Record - AWS > EC2 > AMI > ServiceNow > Configuration Item > Table Definition - AWS > EC2 > AMI > ServiceNow > Relationships - AWS > EC2 > AMI > ServiceNow > Relationships > Template - AWS > EC2 > AMI > ServiceNow > Table - AWS > EC2 > AMI > ServiceNow > Table > Definition - AWS > EC2 > Instance > ServiceNow > Relationships - AWS > EC2 > Instance > ServiceNow > Relationships > Template - AWS > EC2 > Key Pair > ServiceNow - AWS > EC2 > Key Pair > ServiceNow > Configuration Item - AWS > EC2 > Key Pair > ServiceNow > Configuration Item > Record - AWS > EC2 > Key Pair > ServiceNow > Configuration Item > Table Definition - AWS > EC2 > Key Pair > ServiceNow > Relationships - AWS > EC2 > Key Pair > ServiceNow > Relationships > Template - AWS > EC2 > Key Pair > ServiceNow > Table - AWS > EC2 > Key Pair > ServiceNow > Table > Definition - AWS > EC2 > Network Interface > ServiceNow - AWS > EC2 > Network Interface > ServiceNow > Configuration Item - AWS > EC2 > Network Interface > ServiceNow > Configuration Item > Record - AWS > EC2 > Network Interface > ServiceNow > Configuration Item > Table Definition - AWS > EC2 > Network Interface > ServiceNow > Relationships - AWS > EC2 > Network Interface > ServiceNow > Relationships > Template - AWS > EC2 > Network Interface > ServiceNow > Table - AWS > EC2 > Network Interface > ServiceNow > Table > Definition - AWS > EC2 > Snapshot > ServiceNow > Relationships - AWS > EC2 > Snapshot > ServiceNow > Relationships > Template - AWS > EC2 > Volume > ServiceNow > Relationships - AWS > EC2 > Volume > ServiceNow > Relationships > Template

servicenow-gcp-vertexai v5.0.0 is now available

Mon, 07 Oct 2024 09:00:00 GMT

_What's new?_ _Control Types_ - GCP > Vertex AI > Endpoint > ServiceNow - GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item - GCP > Vertex AI > Endpoint > ServiceNow > Import Set - GCP > Vertex AI > Endpoint > ServiceNow > Table - GCP > Vertex AI > Notebook Runtime Template > ServiceNow - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table _Policy Types_ - GCP > Vertex AI > Endpoint > ServiceNow - GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item - GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item > Record - GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item > Table Definition - GCP > Vertex AI > Endpoint > ServiceNow > Import Set - GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Archive Columns - GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Insert Mode - GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Record - GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Table Name - GCP > Vertex AI > Endpoint > ServiceNow > Table - GCP > Vertex AI > Endpoint > ServiceNow > Table > Definition - GCP > Vertex AI > Notebook Runtime Template > ServiceNow - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item > Record - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item > Table Definition - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Archive Columns - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Insert Mode - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Record - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Table Name - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table - GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table > Definition

servicenow-gcp-dataplex v5.0.0 is now available

Mon, 07 Oct 2024 09:00:00 GMT

_What's new?_ _Control Types_ - GCP > Dataplex > Lake > ServiceNow - GCP > Dataplex > Lake > ServiceNow > Configuration Item - GCP > Dataplex > Lake > ServiceNow > Import Set - GCP > Dataplex > Lake > ServiceNow > Table - GCP > Dataplex > Task > ServiceNow - GCP > Dataplex > Task > ServiceNow > Configuration Item - GCP > Dataplex > Task > ServiceNow > Import Set - GCP > Dataplex > Task > ServiceNow > Table - GCP > Dataplex > Zone > ServiceNow - GCP > Dataplex > Zone > ServiceNow > Configuration Item - GCP > Dataplex > Zone > ServiceNow > Import Set - GCP > Dataplex > Zone > ServiceNow > Table _Policy Types_ - GCP > Dataplex > Lake > ServiceNow - GCP > Dataplex > Lake > ServiceNow > Configuration Item - GCP > Dataplex > Lake > ServiceNow > Configuration Item > Record - GCP > Dataplex > Lake > ServiceNow > Configuration Item > Table Definition - GCP > Dataplex > Lake > ServiceNow > Import Set - GCP > Dataplex > Lake > ServiceNow > Import Set > Archive Columns - GCP > Dataplex > Lake > ServiceNow > Import Set > Insert Mode - GCP > Dataplex > Lake > ServiceNow > Import Set > Record - GCP > Dataplex > Lake > ServiceNow > Import Set > Table Name - GCP > Dataplex > Lake > ServiceNow > Table - GCP > Dataplex > Lake > ServiceNow > Table > Definition - GCP > Dataplex > Task > ServiceNow - GCP > Dataplex > Task > ServiceNow > Configuration Item - GCP > Dataplex > Task > ServiceNow > Configuration Item > Record - GCP > Dataplex > Task > ServiceNow > Configuration Item > Table Definition - GCP > Dataplex > Task > ServiceNow > Import Set - GCP > Dataplex > Task > ServiceNow > Import Set > Archive Columns - GCP > Dataplex > Task > ServiceNow > Import Set > Insert Mode - GCP > Dataplex > Task > ServiceNow > Import Set > Record - GCP > Dataplex > Task > ServiceNow > Import Set > Table Name - GCP > Dataplex > Task > ServiceNow > Table - GCP > Dataplex > Task > ServiceNow > Table > Definition - GCP > Dataplex > Zone > ServiceNow - GCP > Dataplex > Zone > ServiceNow > Configuration Item - GCP > Dataplex > Zone > ServiceNow > Configuration Item > Record - GCP > Dataplex > Zone > ServiceNow > Configuration Item > Table Definition - GCP > Dataplex > Zone > ServiceNow > Import Set - GCP > Dataplex > Zone > ServiceNow > Import Set > Archive Columns - GCP > Dataplex > Zone > ServiceNow > Import Set > Insert Mode - GCP > Dataplex > Zone > ServiceNow > Import Set > Record - GCP > Dataplex > Zone > ServiceNow > Import Set > Table Name - GCP > Dataplex > Zone > ServiceNow > Table - GCP > Dataplex > Zone > ServiceNow > Table > Definition

servicenow-aws-vpc-security v5.1.0 - Configure CI Relationships for Flow Logs, Network ACLs, Security Groups and Security Group Rules in ServiceNow

Mon, 07 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for flow logs, network ACLs, security groups and security group rules in ServiceNow. To get started, set the `AWS > VPC > Flow Log > ServiceNow > Relationships > *`, `AWS > VPC > Network ACL > ServiceNow > Relationships > *`, `AWS > VPC > Security Group > ServiceNow > Relationships > *` and `AWS > VPC > Security Group Rule > ServiceNow > Relationships > *` policies respectively. _Control Types_ - AWS > VPC > Flow Log > ServiceNow - AWS > VPC > Flow Log > ServiceNow > Configuration Item - AWS > VPC > Flow Log > ServiceNow > Relationships - AWS > VPC > Flow Log > ServiceNow > Table - AWS > VPC > Network ACL > ServiceNow > Relationships - AWS > VPC > Security Group > ServiceNow > Relationships - AWS > VPC > Security Group Rule > ServiceNow - AWS > VPC > Security Group Rule > ServiceNow > Configuration Item - AWS > VPC > Security Group Rule > ServiceNow > Relationships - AWS > VPC > Security Group Rule > ServiceNow > Table _Policy Types_ - AWS > VPC > Flow Log > ServiceNow - AWS > VPC > Flow Log > ServiceNow > Configuration Item - AWS > VPC > Flow Log > ServiceNow > Configuration Item > Record - AWS > VPC > Flow Log > ServiceNow > Configuration Item > Table Definition - AWS > VPC > Flow Log > ServiceNow > Relationships - AWS > VPC > Flow Log > ServiceNow > Relationships > Template - AWS > VPC > Flow Log > ServiceNow > Table - AWS > VPC > Flow Log > ServiceNow > Table > Definition - AWS > VPC > Network ACL > ServiceNow > Relationships - AWS > VPC > Network ACL > ServiceNow > Relationships > Template - AWS > VPC > Security Group > ServiceNow > Relationships - AWS > VPC > Security Group > ServiceNow > Relationships > Template - AWS > VPC > Security Group Rule > ServiceNow - AWS > VPC > Security Group Rule > ServiceNow > Configuration Item - AWS > VPC > Security Group Rule > ServiceNow > Configuration Item > Record - AWS > VPC > Security Group Rule > ServiceNow > Configuration Item > Table Definition - AWS > VPC > Security Group Rule > ServiceNow > Relationships - AWS > VPC > Security Group Rule > ServiceNow > Relationships > Template - AWS > VPC > Security Group Rule > ServiceNow > Table - AWS > VPC > Security Group Rule > ServiceNow > Table > Definition

servicenow-aws-vpc-core v5.1.0 - Configure CI Relationships for Route Tables, Subnets and VPCs in ServiceNow

Mon, 07 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for route tables, subnets and VPCs in ServiceNow. To get started, set the `AWS > VPC > Route Table > ServiceNow > Relationships > *`, `AWS > VPC > Subnet > ServiceNow > Relationships > *` and `AWS > VPC > VPC > ServiceNow > Relationships > *` policies respectively. _Control Types_ - AWS > VPC > Route Table > ServiceNow > Relationships - AWS > VPC > Subnet > ServiceNow > Relationships - AWS > VPC > VPC > ServiceNow > Relationships _Policy Types_ - AWS > VPC > Route Table > ServiceNow > Relationships - AWS > VPC > Route Table > ServiceNow > Relationships > Template - AWS > VPC > Subnet > ServiceNow > Relationships - AWS > VPC > Subnet > ServiceNow > Relationships > Template - AWS > VPC > VPC > ServiceNow > Relationships - AWS > VPC > VPC > ServiceNow > Relationships > Template

servicenow-aws v5.2.0 - Configure Table, Configuration Item and Relationships for Accounts and Regions in ServiceNow

Mon, 07 Oct 2024 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > Account > ServiceNow - AWS > Account > ServiceNow > Configuration Item - AWS > Account > ServiceNow > Table - AWS > Region > ServiceNow - AWS > Region > ServiceNow > Configuration Item - AWS > Region > ServiceNow > Relationships - AWS > Region > ServiceNow > Table _Policy Types_ - AWS > Account > ServiceNow - AWS > Account > ServiceNow > Configuration Item - AWS > Account > ServiceNow > Configuration Item > Record - AWS > Account > ServiceNow > Configuration Item > Table Definition - AWS > Account > ServiceNow > Table - AWS > Account > ServiceNow > Table > Definition - AWS > Region > ServiceNow - AWS > Region > ServiceNow > Configuration Item - AWS > Region > ServiceNow > Configuration Item > Record - AWS > Region > ServiceNow > Configuration Item > Table Definition - AWS > Region > ServiceNow > Relationships - AWS > Region > ServiceNow > Relationships > Template - AWS > Region > ServiceNow > Table - AWS > Region > ServiceNow > Table > Definition

servicenow-aws-s3 v5.2.0 - Configure CI Relationships for Buckets in ServiceNow

Mon, 07 Oct 2024 09:00:00 GMT

_What's new?_ - You can now configure and manage CI Relationships for buckets in ServiceNow. To get started, set the `AWS > S3 > Bucket > ServiceNow > Relationships > *` policies. _Control Types_ - AWS > S3 > Bucket > ServiceNow > Relationships _Policy Types_ - AWS > S3 > Bucket > ServiceNow > Import Set > Insert Mode - AWS > S3 > Bucket > ServiceNow > Relationships - AWS > S3 > Bucket > ServiceNow > Relationships > Template

aws-billing v5.4.0 - `AWS/Billing/Admin`, `AWS/Billing/Metadata` and `AWS/Billing/Operator` now also include purchase orders permissions

Mon, 07 Oct 2024 09:00:00 GMT

_What's new?_ - `AWS/Billing/Admin`, `AWS/Billing/Metadata` and `AWS/Billing/Operator` now also include purchase orders permissions.

Turbot Guardrails Enterprise (TE) v5.47.1 - Removed recursive loop detection logic, as this is now managed effectively by Lambda.

Fri, 04 Oct 2024 09:00:00 GMT

_Bug fixes_ - Server - Removed recursive loop detection logic, as this is now managed effectively by Lambda. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise Foundation (TEF) v1.63.0 - Support for AWS Graviton instance with ARM64 architecture

Tue, 01 Oct 2024 09:00:00 GMT

_What's new?_ - Support for AWS Graviton instance with ARM64 architecture.

gcp v5.27.0 - Added support to process real-time enable and disable events for Dataplex API

Mon, 30 Sep 2024 09:00:00 GMT

_What's new?_ - Added support to process enable and disable real-time events for Dataplex.

gcp-dataplex v5.0.0 is now available

Mon, 30 Sep 2024 09:00:00 GMT

_Resource Types_ - GCP > Dataplex - GCP > Dataplex > Lake - GCP > Dataplex > Task - GCP > Dataplex > Zone _Control Types_ - GCP > Dataplex > API Enabled - GCP > Dataplex > CMDB - GCP > Dataplex > Discovery - GCP > Dataplex > Lake > Active - GCP > Dataplex > Lake > Approved - GCP > Dataplex > Lake > CMDB - GCP > Dataplex > Lake > Discovery - GCP > Dataplex > Lake > Labels - GCP > Dataplex > Lake > Usage - GCP > Dataplex > Task > Active - GCP > Dataplex > Task > Approved - GCP > Dataplex > Task > CMDB - GCP > Dataplex > Task > Discovery - GCP > Dataplex > Task > Labels - GCP > Dataplex > Task > Usage - GCP > Dataplex > Zone > Active - GCP > Dataplex > Zone > Approved - GCP > Dataplex > Zone > CMDB - GCP > Dataplex > Zone > Discovery - GCP > Dataplex > Zone > Labels - GCP > Dataplex > Zone > Usage _Policy Types_ - GCP > Dataplex > API Enabled - GCP > Dataplex > Approved Regions [Default] - GCP > Dataplex > CMDB - GCP > Dataplex > Enabled - GCP > Dataplex > Labels Template [Default] - GCP > Dataplex > Lake > Active - GCP > Dataplex > Lake > Active > Age - GCP > Dataplex > Lake > Active > Last Modified - GCP > Dataplex > Lake > Approved - GCP > Dataplex > Lake > Approved > Custom - GCP > Dataplex > Lake > Approved > Regions - GCP > Dataplex > Lake > Approved > Usage - GCP > Dataplex > Lake > CMDB - GCP > Dataplex > Lake > Labels - GCP > Dataplex > Lake > Labels > Template - GCP > Dataplex > Lake > Regions - GCP > Dataplex > Lake > Usage - GCP > Dataplex > Lake > Usage > Limit - GCP > Dataplex > Permissions - GCP > Dataplex > Permissions > Levels - GCP > Dataplex > Permissions > Levels > Modifiers - GCP > Dataplex > Regions - GCP > Dataplex > Task > Active - GCP > Dataplex > Task > Active > Age - GCP > Dataplex > Task > Active > Last Modified - GCP > Dataplex > Task > Approved - GCP > Dataplex > Task > Approved > Custom - GCP > Dataplex > Task > Approved > Regions - GCP > Dataplex > Task > Approved > Usage - GCP > Dataplex > Task > CMDB - GCP > Dataplex > Task > Labels - GCP > Dataplex > Task > Labels > Template - GCP > Dataplex > Task > Regions - GCP > Dataplex > Task > Usage - GCP > Dataplex > Task > Usage > Limit - GCP > Dataplex > Zone > Active - GCP > Dataplex > Zone > Active > Age - GCP > Dataplex > Zone > Active > Last Modified - GCP > Dataplex > Zone > Approved - GCP > Dataplex > Zone > Approved > Custom - GCP > Dataplex > Zone > Approved > Regions - GCP > Dataplex > Zone > Approved > Usage - GCP > Dataplex > Zone > CMDB - GCP > Dataplex > Zone > Labels - GCP > Dataplex > Zone > Labels > Template - GCP > Dataplex > Zone > Regions - GCP > Dataplex > Zone > Usage - GCP > Dataplex > Zone > Usage > Limit - GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-dataplex - GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-dataplex - GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-dataplex _Action Types_ - GCP > Dataplex > Lake > Delete - GCP > Dataplex > Lake > Router - GCP > Dataplex > Lake > Set Labels - GCP > Dataplex > Set API Enabled - GCP > Dataplex > Task > Delete - GCP > Dataplex > Task > Router - GCP > Dataplex > Task > Set Labels - GCP > Dataplex > Zone > Delete - GCP > Dataplex > Zone > Router - GCP > Dataplex > Zone > Set Labels

azure-compute v5.18.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Compute resources in Guardrails

Mon, 30 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage compute resources in Guardrails. This release includes breaking changes in the CMDB data for virtual machine. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below **Added:** In Azure > Compute > Disk: - `supportedCapabilities.diskControllerTypes` - `diskIopsReadWrite` - `lastOwnershipUpdateTime` In Azure > Compute > Virtual Machine: - `resources` - `timeCreated` - `etag` In Azure > Compute > Virtual Machine Scale Set: - `constrainedMaximumCapacity` - `etag` - `scaleInPolicy` - `timeCreated` - `upgradePolicy` - `storageProfile. diskControllerType` In Azure > Compute > Snapshot: - `dataAccessAuthMode` - `incrementalSnapshotFamilyId` **Removed:** In Azure > Compute > Virtual Machine: - `statuses.time` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-appservice v5.4.0 - Controls and Actions now use latest Azure SDK versions to discover and manage App Service resources in Guardrails

Mon, 30 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage App Service resources in Guardrails. **Added:** Azure > App Service > App Service Plan - `elasticScaleEnabled` - `numberOfWorkers` - `zoneRedundant` Azure > App Service > Function App - `configuration.acrUseManagedIdentityCreds` - `configuration.acrUserManagedIdentityID` - `configuration.elasticWebAppScaleLimit` - `configuration.ipSecurityRestrictionsDefaultAction` - `configuration.metadata` - `configuration.minTlsCipherSuite` - `configuration.scmIpSecurityRestrictionsDefaultAction` - `dnsConfiguration` - `publicNetworkAccess` - `vnetBackupRestoreEnabled` - `vnetContentShareEnabled` - `vnetImagePullEnabled` - `vnetRouteAllEnabled` Azure > App Service > Web App - `configuration.acrUseManagedIdentityCreds` - `configuration.acrUserManagedIdentityID` - `configuration.elasticWebAppScaleLimit` - `configuration.ipSecurityRestrictionsDefaultAction` - `configuration.metadata` - `configuration.minTlsCipherSuite` - `configuration.scmIpSecurityRestrictionsDefaultAction` - `dnsConfiguration` - `publicNetworkAccess` - `vnetBackupRestoreEnabled` - `vnetContentShareEnabled` - `vnetImagePullEnabled` - `vnetRouteAllEnabled` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-apimanagement v5.4.0 - Controls and Actions now use latest Azure SDK versions to discover and manage API Management resources in Guardrails

Mon, 30 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage API Management resources in Guardrails.

azure-securitycenter v5.5.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Security Center resources in Guardrails

Fri, 27 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below **Renamed:** - `JitNetworkAccessPolicies` to `jitNetworkAccessPolicies` - `Pricing` to `pricing` - `Locations` to `locations` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-mysql v5.11.0 - Controls and Actions now use latest Azure SDK versions to discover and manage MySql resources in Guardrails

Fri, 27 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage MySQL resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-frontdoorservice v5.8.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Front Door Service resources in Guardrails

Fri, 27 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Front Door Service resources in Guardrails. This release includes breaking changes in the CMDB data for Front Door Service. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below. Added: - `frontdoorId` - `rulesEngines` - `extendedProperties` - `backendPoolsSettings` - `backendPool.privateLinkAlias` - `backendPool.privateLinkLocation` - `backendPool.privateEndpointStatus` - `backendPool.privateLinkResourceId` - `backendPool.privateLinkApprovalMessage` - `routingRule.rulesEngine` - `routingRule.routeConfiguration.odataType` - `routingRule.routeConfiguration.cacheConfiguration.cacheDuration` - `routingRule.routeConfiguration.cacheConfiguration.queryParameters ` - `routingRule.webApplicationFirewallPolicyLink` Modified: - `routingRule.backendPool` to `routingRule.routeConfiguration.backendPool` - `routingRule.forwardingProtocol ` to `routingRule.routeConfiguration.forwardingProtocol` - `routingRule.customForwardingPath ` to `routingRule.routeConfiguration.customForwardingPath` - `routingRule.cacheConfiguration.dynamicCompression ` to `routingRule.routeConfiguration.cacheConfiguration. dynamicCompression` - `routingRule.cacheConfiguration.queryParameterStripDirective ` to `routingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirective` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-datafactory v5.7.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Data Factory resources in Guardrails

Fri, 27 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Data Factory resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-aks v5.7.0 - Controls and Actions now use latest Azure SDK versions to discover and manage AKS resources in Guardrails

Fri, 27 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage AKS resources in Guardrails. Added: - `networkProfile.podCidrs` - `networkProfile.ipFamilies` - `networkProfile.outboundType` - `networkProfile.serviceCidrs` - `networkProfile.networkPolicy` - `networkProfile.loadBalancerProfile.backendPoolType` - `networkProfile.loadBalancerProfile.countIPv6` - `networkProfile.loadBalancerProfile.idleTimeoutInMinutes` - `networkProfile.loadBalancerProfile.allocatedOutboundPorts` - `agentPoolProfiles.mode` - `agentPoolProfiles.osSKU` - `agentPoolProfiles.enableFips` - `agentPoolProfiles.osDiskType` - `agentPoolProfiles.spotMaxPrice` - `agentPoolProfiles.scaleDownMode` - `agentPoolProfiles.enableUltraSSD` - `agentPoolProfiles.kubeletDiskType` - `agentPoolProfiles.upgradeSettings.maxSurge` - `agentPoolProfiles.nodeImageVersion` - `agentPoolProfiles.enableEncryptionAtHost` - `agentPoolProfiles.currentOrchestratorVersion` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-signalr v5.2.0 - Controls and Actions now use latest Azure SDK versions to discover and manage SignalR resources in Guardrails

Thu, 26 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SignalR resources in Guardrails. Added: - `hostNamePrefix` - `serverless. connectionTimeoutInSeconds` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-servicebus v5.2.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Service Bus resources in Guardrails

Thu, 26 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Service Bus resources in Guardrails. Added: Azure > Service Bus > Namespace - `disableLocalAuth` - `status` - `zoneRedundant` Azure > Service Bus > Queue - `maxMessageSizeInKilobytes` Azure > Service Bus > Topic - `maxMessageSizeInKilobytes` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-relay v5.2.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Relay resources in Guardrails

Thu, 26 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Relay resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-recoveryservice v5.6.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Recovery Service resources in Guardrails

Thu, 26 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Recovery Service resources in Guardrails. Added: Azure > Recovery Service > Vault - `properties.backupStorageVersion` - `properties.bcdrSecurityLevel` - `properties.publicNetworkAccess` - `properties.restoreSettings` - `properties.secureScore` - `properties.securitySettings` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

aws-robomaker v5.4.1 - CMDB policies for various resource types will now default to Skip

Thu, 26 Sep 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > RoboMaker > Robot Application > CMDB`, `AWS > RoboMaker > Fleet > CMDB` and `AWS > RoboMaker > Robot > CMDB` policies will now be set to `Skip` by default because the resource types have been deprecated and will be removed in the next major version. Please check [end of support](https://docs.aws.amazon.com/robomaker/latest/dg/chapter-support-policy.html) for more information.

aws-ecs v5.7.0 - Track and manage Fargate FIPS Mode for Gov cloud accounts via Guardrails

Thu, 26 Sep 2024 09:00:00 GMT

_What's new?_ - Track and manage Fargate FIPS Mode for Gov cloud accounts via Guardrails. To get started, set the `AWS > ECS > Account Settings > Fargate FIPS Mode` policy. - The `Approved > Usage` policy for resource types will now default to `Approved` instead of `Approved if AWS > {service} > Enabled`. _Resource Types_ - AWS > ECS > Account Settings _Control Types_ - AWS > ECS > Account Settings > CMDB - AWS > ECS > Account Settings > Discovery - AWS > ECS > Account Settings > Fargate FIPS Mode _Policy Types_ - AWS > ECS > Account Settings > CMDB - AWS > ECS > Account Settings > Fargate FIPS Mode - AWS > ECS > Account Settings > Regions _Action Types_ - AWS > ECS > Account Settings > Router - AWS > ECS > Account Settings > Update Fargate FIPS Mode

Turbot Guardrails Enterprise (TE) v5.47.0 - Introduced support for multi-architecture images, now compatible with both ARM64 and x86_64

Wed, 25 Sep 2024 09:00:00 GMT

_What's new?_ - Server - Introduced support for multi-architecture images, now compatible with both ARM64 and x86_64. - Added a default resource query to the context of calculated policies. - Updated several node packages to newer versions for improved functionality and security. - Updated Lambda to support recursive loops. - UI - Now you can use the `+` sign to grant permissions in the context of both the identity and resource. - Updated several node packages to newer versions for improved functionality and security. _Bug fixes_ - Server - Azure Credential Resolver now respects proxy settings, adding full proxy support. - UI - Updated policy pack Terraform to correctly reference turbot_policy_pack. - Adjusted the Admin page layout for improved usability. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Terraform Provider v1.11.2 - `terraform apply` failed to detect existing Policy Pack attachments

Fri, 20 Sep 2024 09:00:00 GMT

_Bug fixes_ * `resource/turbot_policy_pack_attachment`: `terraform apply` failed to detect existing Policy Pack attachments. ([#181](https://github.com/turbot/terraform-provider-turbot/issues/181))

azure-applicationinsights v5.8.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Application Insights resources in Guardrails

Fri, 20 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Insights resources in Guardrails. This release includes changes in the CMDB data as below. Added: - `flowType` - `requestSource` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

azure-applicationgateway v5.8.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Application Gateway resources in Guardrails

Fri, 20 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Gateway resources in Guardrails. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

aws-support v5.0.0 is now available

Fri, 20 Sep 2024 09:00:00 GMT

_Resource Types_ - AWS > Support _Policy Types_ - AWS > Support > API Enabled - AWS > Support > Enabled - AWS > Support > Permissions - AWS > Support > Permissions > Levels - AWS > Support > Permissions > Levels > Modifiers - AWS > Support > Permissions > Lockdown - AWS > Support > Permissions > Lockdown > API Boundary - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-support - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-support - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-support

aws-iam v5.37.0 - Users can now manage whether `AWS/User` should grant include `support:*` permissions

Fri, 20 Sep 2024 09:00:00 GMT

_What's new?_ - Users can now manage whether `AWS/User` grant should include `support:*` permissions. To get started, set the `AWS > Account > Permissions > Support Level` policy. _Policy Types_ - AWS > Account > Permissions > Support Level _Bug fixes_ - The `AWS > Turbot > IAM` stack control did not correctly evaluate user memberships in custom IAM groups when the `AWS > Turbot > Permissions > Custom Group Levels [Account]` policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.

aws-ec2 v5.42.1 - Volume CMDB control sometimes ran unnecessarily due to a bad internal GraphQL dependency

Fri, 20 Sep 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > EC2 > Volume > CMDB` control would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.

kubernetes v5.1.2 - Cluster CMDB control will now not depend on the CMDB > Expiration policy

Tue, 17 Sep 2024 09:00:00 GMT

_Bug fixes_ - A precheck dependency on the `Kubernetes > Cluster > CMDB > Expiration` policy was inadvertently added to the `Kubernetes > Cluster > CMDB` control. This precheck condition has now been removed.

gcp-vertexai v5.0.0 is now available

Tue, 17 Sep 2024 09:00:00 GMT

_Resource Types_ - GCP > Vertex AI - GCP > Vertex AI > Endpoint - GCP > Vertex AI > Notebook Runtime Template _Control Types_ - GCP > Vertex AI > API Enabled - GCP > Vertex AI > CMDB - GCP > Vertex AI > Discovery - GCP > Vertex AI > Endpoint > Active - GCP > Vertex AI > Endpoint > Approved - GCP > Vertex AI > Endpoint > CMDB - GCP > Vertex AI > Endpoint > Discovery - GCP > Vertex AI > Endpoint > Labels - GCP > Vertex AI > Endpoint > Usage - GCP > Vertex AI > Notebook Runtime Template > Active - GCP > Vertex AI > Notebook Runtime Template > Approved - GCP > Vertex AI > Notebook Runtime Template > CMDB - GCP > Vertex AI > Notebook Runtime Template > Discovery - GCP > Vertex AI > Notebook Runtime Template > Router - GCP > Vertex AI > Notebook Runtime Template > Usage _Policy Types_ - GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-vertexai - GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-vertexai - GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-vertexai - GCP > Vertex AI > API Enabled - GCP > Vertex AI > Approved Regions [Default] - GCP > Vertex AI > CMDB - GCP > Vertex AI > Enabled - GCP > Vertex AI > Endpoint > Active - GCP > Vertex AI > Endpoint > Active > Age - GCP > Vertex AI > Endpoint > Active > Last Modified - GCP > Vertex AI > Endpoint > Approved - GCP > Vertex AI > Endpoint > Approved > Custom - GCP > Vertex AI > Endpoint > Approved > Regions - GCP > Vertex AI > Endpoint > Approved > Usage - GCP > Vertex AI > Endpoint > CMDB - GCP > Vertex AI > Endpoint > Labels - GCP > Vertex AI > Endpoint > Labels > Template - GCP > Vertex AI > Endpoint > Regions - GCP > Vertex AI > Endpoint > Usage - GCP > Vertex AI > Endpoint > Usage > Limit - GCP > Vertex AI > Labels Template [Default] - GCP > Vertex AI > Notebook Runtime Template > Active - GCP > Vertex AI > Notebook Runtime Template > Active > Age - GCP > Vertex AI > Notebook Runtime Template > Active > Last Modified - GCP > Vertex AI > Notebook Runtime Template > Approved - GCP > Vertex AI > Notebook Runtime Template > Approved > Custom - GCP > Vertex AI > Notebook Runtime Template > Approved > Regions - GCP > Vertex AI > Notebook Runtime Template > Approved > Usage - GCP > Vertex AI > Notebook Runtime Template > CMDB - GCP > Vertex AI > Notebook Runtime Template > Regions - GCP > Vertex AI > Notebook Runtime Template > Usage - GCP > Vertex AI > Notebook Runtime Template > Usage > Limit - GCP > Vertex AI > Permissions - GCP > Vertex AI > Permissions > Levels - GCP > Vertex AI > Permissions > Levels > Modifiers - GCP > Vertex AI > Regions _Action Types_ - GCP > Vertex AI > Endpoint > Delete - GCP > Vertex AI > Endpoint > Router - GCP > Vertex AI > Endpoint > Set Labels - GCP > Vertex AI > Notebook Runtime Template > Delete - GCP > Vertex AI > Set API Enabled

gcp v5.26.0 - Added support to process real-time enable and disable events for Vertex AI API

Tue, 17 Sep 2024 09:00:00 GMT

_What's new?_ - Added support to process real-time enable and disable events for Vertex AI API via Service Usage APIs.

gcp-kubernetesengine v5.6.1 - CMDB control for the service resource type will no longer depend on the API Enabled policy being set to `Enforce: Enabled`

Mon, 16 Sep 2024 09:00:00 GMT

_Bug fixes_ - The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to `Enforce: Enabled` for the service.

azure-searchmanagement v5.8.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Search Management resources in Guardrails

Mon, 16 Sep 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Search Management resources in Guardrails. Added: - `authOptions` - `disableLocalAuth` - `encryptionWithCmk` - `networkRuleSet` - `privateEndpointConnections` - `publicNetworkAccess` - `semanticSearch` - `sharedPrivateLinkResources` _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

gcp-storage v5.11.3 - Added Quick Actions for setting Fine-grained and Uniform access controls for buckets

Fri, 13 Sep 2024 09:00:00 GMT

_What's new?_ _Action Types_ - GCP > Storage > Bucket > Set Fine-grained Access Control - GCP > Storage > Bucket > Set Uniform Access Control

gcp-sql v5.10.1 - CMDB control for the service resource type will no longer depend on the API Enabled policy being set to `Enforce: Enabled`

Fri, 13 Sep 2024 09:00:00 GMT

_What's new?_ - The `Approved > Usage` policy for resource types will now default to `Approved` instead of `Approved if AWS > {service} > Enabled`. _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful. - Fixed incorrect references to various Quick Actions. _Action Types_ - AWS > SWF > Domain > Delete from AWS

Fri, 23 Aug 2024 09:00:00 GMT

_What's new?_ - You can now configure parameter groups for DB clusters. To get started, set the `AWS > RDS > DB Cluster > Parameter Group > *` policies. _Control Types_ - AWS > RDS > DB Cluster > Parameter Group _Policy Types_ - AWS > RDS > DB Cluster > Parameter Group - AWS > RDS > DB Cluster > Parameter Group > Name _Action Types_ - AWS > RDS > DB Cluster > Update Parameter Group _Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

Tue, 13 Aug 2024 09:00:00 GMT

## 5.0.0 (2024-08-13) _Resource Types_ - Azure > Managed Identity - Azure > Managed Identity > User Assigned Identity _Control Types_ - Azure > Managed Identity > User Assigned Identity > Active - Azure > Managed Identity > User Assigned Identity > Approved - Azure > Managed Identity > User Assigned Identity > CMDB - Azure > Managed Identity > User Assigned Identity > Discovery - Azure > Managed Identity > User Assigned Identity > Tags _Policy Types_ - Azure > Managed Identity > Approved Regions [Default] - Azure > Managed Identity > Enabled - Azure > Managed Identity > Permissions - Azure > Managed Identity > Permissions > Levels - Azure > Managed Identity > Permissions > Levels > Modifiers - Azure > Managed Identity > Regions - Azure > Managed Identity > Tags Template [Default] - Azure > Managed Identity > User Assigned Identity > Active - Azure > Managed Identity > User Assigned Identity > Active > Age - Azure > Managed Identity > User Assigned Identity > Active > Last Modified - Azure > Managed Identity > User Assigned Identity > Approved - Azure > Managed Identity > User Assigned Identity > Approved > Custom - Azure > Managed Identity > User Assigned Identity > Approved > Regions - Azure > Managed Identity > User Assigned Identity > Approved > Usage - Azure > Managed Identity > User Assigned Identity > CMDB - Azure > Managed Identity > User Assigned Identity > Regions - Azure > Managed Identity > User Assigned Identity > Tags - Azure > Managed Identity > User Assigned Identity > Tags > Template - Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-managedidentity - Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-managedidentity _Action Types_ - Azure > Managed Identity > User Assigned Identity > Delete - Azure > Managed Identity > User Assigned Identity > Router - Azure > Managed Identity > User Assigned Identity > Set Tags

aws v5.30.3 - AWS > Turbot > Logging > Bucket control will now set AWS SSE encryption by default for buckets

Mon, 12 Aug 2024 09:00:00 GMT

_What's new?_ - The `AWS > Turbot > Logging > Bucket > Default Encryption` policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the `AWS > Turbot > Logging > Bucket` stack control will now be encrypted by `AWS SSE` by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the `@turbot/aws-s3` mod to v5.26.0 for the stack control to work reliably as before. - Improved descriptions for various resource types to ensure they are clearer and more helpful. _Policy Types_ _Renamed_ - AWS > Turbot > Logging > Bucket > Default Encryption to AWS > Turbot > Logging > Bucket > Default Encryption [Deprecated]

aws-s3 v5.26.0 - Added support for aws_s3_bucket_ownership_controls Terraform resource for buckets

Mon, 12 Aug 2024 09:00:00 GMT

_What's new?_ - Added support for `aws_s3_bucket_ownership_controls` Terraform resource for buckets. - Improved descriptions for various resource types to ensure they are clearer and more helpful.

aws-robomaker v5.4.0 - Lambda runtimes now powered by Node 18

Fri, 09 Aug 2024 09:00:00 GMT

aws-config v5.9.0 - Configure Terraform version for the Configuration Recording stack control

Fri, 09 Aug 2024 09:00:00 GMT

_What's new?_ - Users can now configure the Terraform version for the `AWS > Config > Configuration Recording` stack control. To get started, set the `AWS > Config > Configuration Recording > Terraform Version` policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably. _Policy Types_ - AWS > Config > Configuration Recording > Terraform Version

gcp v5.25.0 - Create and manage labels for topics created via the GCP > Turbot > Event Handlers > Pub/Sub control

Thu, 08 Aug 2024 09:00:00 GMT

_What's new?_ - Users can now create and manage labels on Pub/Sub topics created via the `GCP > Turbot > Event Handlers > Pub/Sub` control. To get started, set the `GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels` policy. _Policy Types_ - GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Labels > Ignore Changes - GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels - GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels > Ignore Changes

aws-vpc-security v5.10.1 - Guardrails failed to cleanup deleted security group rules via the real-time `ec2:RevokeSecurityGroupEgress` and `ec2:RevokeSecurityGroupIngress` events

Wed, 07 Aug 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to cleanup deleted security group rules via the real-time `ec2:RevokeSecurityGroupEgress` and `ec2:RevokeSecurityGroupIngress` events. This issue is now fixed.

aws v5.30.2 - The Event Handlers control did not correctly raise the real-time `CreateTags` and `DeleteTags` events for VPC security group rules

Wed, 07 Aug 2024 09:00:00 GMT

aws-ec2 v5.41.3 - Guardrails will now process `ec2:CreateReplaceRootVolumeTask` real-time event for instances

Mon, 05 Aug 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to process the real-time event `ec2:CreateReplaceRootVolumeTask` for instances. This is now fixed.

Turbot Guardrails Enterprise (TE) v5.45.4 - Performance enhancements and UI improvements

Fri, 02 Aug 2024 09:00:00 GMT

_What's new?_ - Server - Made notifications faster by improving the query, which enhances the performance of the resource activity tab. - UI - Fixed a bug where policy pack creation would fail if the AKA was not provided from the user interface. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-azure v5.3.2 - Bug fixed - Configuration Item control for resource group will now process data correctly in ServiceNow

Fri, 02 Aug 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Resource Group > ServiceNow > Configuration Item` control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.

servicenow-kubernetes v5.2.1 - Bug fixed - Import Set control will now convert JSON objects to correct format so that they are stored reliably and consistently in ServiceNow

Thu, 01 Aug 2024 09:00:00 GMT

_Bug fixes_ - The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

servicenow-gcp-storage v5.3.1 - Bug fixed - Import Set control will now convert JSON objects to correct format so that they are stored reliably and consistently in ServiceNow

Thu, 01 Aug 2024 09:00:00 GMT

servicenow-gcp-computeengine v5.2.1 - Bug fixed - Import Set control will now convert JSON objects to correct format so that they are stored reliably and consistently in ServiceNow

Thu, 01 Aug 2024 09:00:00 GMT

servicenow-gcp v5.3.0 - Added Project > ServiceNow > Import Set control and policies

Thu, 01 Aug 2024 09:00:00 GMT

Wed, 31 Jul 2024 09:00:00 GMT

_What's new?_ - Added support for Postgres versions 15.6 and 15.7.

azure v5.20.0 - Updated internal dependencies to use the latest Azure SDK versions to poll events from Azure Monitor and process them in Guardrails

Wed, 31 Jul 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to poll events from Azure Monitor and process them in Guardrails. You won't notice any difference, and things will continue to work smoothly as before.

aws-dynamodb v5.11.0 - `AWS/DynamoDB/Admin`, `AWS/DynamoDB/Metadata` and `AWS/DynamoDB/Operator` now include permissions for Resource Policy, Imports, Time to Live and Global Table Version

Wed, 31 Jul 2024 09:00:00 GMT

_What's new?_ - `AWS/DynamoDB/Admin`, `AWS/DynamoDB/Metadata` and `AWS/DynamoDB/Operator` now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.

servicenow-azure-network v5.3.0 - Added Network Security Group > ServiceNow > Import Set control and policies

Tue, 30 Jul 2024 09:00:00 GMT

_What's new?_ _Control Types_ - Azure > Network > Network Security Group > ServiceNow > Import Set _Policy Types_ - Azure > Network > Network Security Group > ServiceNow > Import Set - Azure > Network > Network Security Group > ServiceNow > Import Set > Archive Columns - Azure > Network > Network Security Group > ServiceNow > Import Set > Record - Azure > Network > Network Security Group > ServiceNow > Import Set > Table Name

servicenow-azure v5.3.0 - Added Subscription > ServiceNow > Import Set control and policies

Tue, 30 Jul 2024 09:00:00 GMT

_What's new?_ _Control Types_ - Azure > Subscription > ServiceNow > Import Set _Policy Types_ - Azure > Subscription > ServiceNow > Import Set - Azure > Subscription > ServiceNow > Import Set > Archive Columns - Azure > Subscription > ServiceNow > Import Set > Record - Azure > Subscription > ServiceNow > Import Set > Table Name

azure-storage v5.19.0 - Enable Encryption at Rest and table logging for storage accounts

Tue, 30 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now enable/disable `Table logging` for `Storage Accounts` via `Azure > Storage > Storage Account > Table > Logging` control. To get started, set the `Azure > Storage > Storage Account > Table > Logging` policy. _Control Types_ - Azure > Storage > Storage Account > Encryption at Rest - Azure > Storage > Storage Account > Table - Azure > Storage > Storage Account > Table > Logging _Policy Types_ - Azure > Storage > Storage Account > Encryption at Rest - Azure > Storage > Storage Account > Encryption at Rest > Customer Managed Key - Azure > Storage > Storage Account > Table - Azure > Storage > Storage Account > Table > Logging - Azure > Storage > Storage Account > Table > Logging > Properties - Azure > Storage > Storage Account > Table > Logging > Retention Days _Action Types_ - Azure > Storage > Storage Account > Update Encryption at Rest - Azure > Storage > Storage Account > Update Storage Account Table Logging - The Storage Account CMDB data will now also include information about the account's table service properties. - We've removed the dependency on `listKeys` permission for `Azure > Storage Account > Container > Discovery` to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below. Renamed: `isImmutableStorageWithVersioningEnabled` to `isImmutableStorageWithVersioning.enabled` Removed: `preventEncryptionScopeOverride` _Bug fixes_ - The `Azure > Storage > Storage Account > CMDB` control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for `listKeys`, and will run its course to completion without going into an error state.

aws-s3 v5.25.1 - Bug fixed - Improved error message for the bucket CMDB control when it would go to error state due to insufficient permissions for the `headBucket` operation

Tue, 30 Jul 2024 09:00:00 GMT

_Bug fixes_ - Improved error message for the `AWS > S3 > Bucket > CMDB` control if it would go into an error state due to insufficient permissions for the `headBucket` operation.

Turbot Guardrails Enterprise (TE) v5.46.0 - Upgraded from Node.js 18 to Node.js 20

Mon, 29 Jul 2024 09:00:00 GMT

_What's new?_ - Server - Migrated from Node.js 18 to Node.js 20 for improved performance and security. - Updated the Mod Lambda architecture to ARM64 for better efficiency. - Added support for Node.js 20 in the Lambda runtime. _Bug fixes_ - Server - Resolved an issue where the next tick timestamp was not being set for large commands _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.45.3 - Resolved UI deletion issue for Policy Packs with latest Turbot Mod and TE 5.45.0

Mon, 29 Jul 2024 09:00:00 GMT

_Bug fixes_ - UI - Resolved deletion issue from UI for Policy Packs with latest Turbot Mod(5.45.0) and TE 5.45.0. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.45.2 - Minor internal improvements

Mon, 29 Jul 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-kubernetes v5.2.0 - Added support for new Kubernetes resource types

Fri, 26 Jul 2024 09:00:00 GMT

_What's new?_ _Control Types_ - Kubernetes > CronJob > ServiceNow - Kubernetes > CronJob > ServiceNow > Configuration Item - Kubernetes > CronJob > ServiceNow > Table - Kubernetes > DaemonSet > ServiceNow - Kubernetes > DaemonSet > ServiceNow > Configuration Item - Kubernetes > DaemonSet > ServiceNow > Table - Kubernetes > Ingress > ServiceNow - Kubernetes > Ingress > ServiceNow > Configuration Item - Kubernetes > Ingress > ServiceNow > Table - Kubernetes > Job > ServiceNow - Kubernetes > Job > ServiceNow > Configuration Item - Kubernetes > Job > ServiceNow > Table - Kubernetes > Persistent Volume > ServiceNow - Kubernetes > Persistent Volume > ServiceNow > Configuration Item - Kubernetes > Persistent Volume > ServiceNow > Table - Kubernetes > ReplicationController > ServiceNow - Kubernetes > ReplicationController > ServiceNow > Configuration Item - Kubernetes > ReplicationController > ServiceNow > Table - Kubernetes > StatefulSet > ServiceNow - Kubernetes > StatefulSet > ServiceNow > Configuration Item - Kubernetes > StatefulSet > ServiceNow > Table _Policy Types_ - Kubernetes > CronJob > ServiceNow - Kubernetes > CronJob > ServiceNow > Configuration Item - Kubernetes > CronJob > ServiceNow > Configuration Item > Record - Kubernetes > CronJob > ServiceNow > Configuration Item > Table Definition - Kubernetes > CronJob > ServiceNow > Table - Kubernetes > CronJob > ServiceNow > Table > Definition - Kubernetes > DaemonSet > ServiceNow - Kubernetes > DaemonSet > ServiceNow > Configuration Item - Kubernetes > DaemonSet > ServiceNow > Configuration Item > Record - Kubernetes > DaemonSet > ServiceNow > Configuration Item > Table Definition - Kubernetes > DaemonSet > ServiceNow > Table - Kubernetes > DaemonSet > ServiceNow > Table > Definition - Kubernetes > Ingress > ServiceNow - Kubernetes > Ingress > ServiceNow > Configuration Item - Kubernetes > Ingress > ServiceNow > Configuration Item > Record - Kubernetes > Ingress > ServiceNow > Configuration Item > Table Definition - Kubernetes > Ingress > ServiceNow > Table - Kubernetes > Ingress > ServiceNow > Table > Definition - Kubernetes > Job > ServiceNow - Kubernetes > Job > ServiceNow > Configuration Item - Kubernetes > Job > ServiceNow > Configuration Item > Record - Kubernetes > Job > ServiceNow > Configuration Item > Table Definition - Kubernetes > Job > ServiceNow > Table - Kubernetes > Job > ServiceNow > Table > Definition - Kubernetes > Persistent Volume > ServiceNow - Kubernetes > Persistent Volume > ServiceNow > Configuration Item - Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Record - Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Table Definition - Kubernetes > Persistent Volume > ServiceNow > Table - Kubernetes > Persistent Volume > ServiceNow > Table > Definition - Kubernetes > ReplicationController > ServiceNow - Kubernetes > ReplicationController > ServiceNow > Configuration Item - Kubernetes > ReplicationController > ServiceNow > Configuration Item > Record - Kubernetes > ReplicationController > ServiceNow > Configuration Item > Table Definition - Kubernetes > ReplicationController > ServiceNow > Table - Kubernetes > ReplicationController > ServiceNow > Table > Definition - Kubernetes > StatefulSet > ServiceNow - Kubernetes > StatefulSet > ServiceNow > Configuration Item - Kubernetes > StatefulSet > ServiceNow > Configuration Item > Record - Kubernetes > StatefulSet > ServiceNow > Configuration Item > Table Definition - Kubernetes > StatefulSet > ServiceNow > Table - Kubernetes > StatefulSet > ServiceNow > Table > Definition

kubernetes v5.1.0 - Added support for new Kubernetes resource types

Fri, 26 Jul 2024 09:00:00 GMT

_What's new?_ _Resource Types_ - Kubernetes > CronJob - Kubernetes > DaemonSet - Kubernetes > Ingress - Kubernetes > Job - Kubernetes > Persistent Volume - Kubernetes > ReplicationController - Kubernetes > StatefulSet _Control Types_ - Kubernetes > ConfigMap > Active - Kubernetes > CronJob > Active - Kubernetes > CronJob > Annotations - Kubernetes > CronJob > Approved - Kubernetes > CronJob > CMDB - Kubernetes > CronJob > Labels - Kubernetes > CronJob > Query - Kubernetes > DaemonSet > Active - Kubernetes > DaemonSet > Annotations - Kubernetes > DaemonSet > Approved - Kubernetes > DaemonSet > CMDB - Kubernetes > DaemonSet > Labels - Kubernetes > DaemonSet > Query - Kubernetes > Deployment > Active - Kubernetes > Ingress > Active - Kubernetes > Ingress > Annotations - Kubernetes > Ingress > Approved - Kubernetes > Ingress > CMDB - Kubernetes > Ingress > Labels - Kubernetes > Ingress > Query - Kubernetes > Job > Active - Kubernetes > Job > Annotations - Kubernetes > Job > Approved - Kubernetes > Job > CMDB - Kubernetes > Job > Labels - Kubernetes > Job > Query - Kubernetes > Namespace > Active - Kubernetes > Node > Active - Kubernetes > Persistent Volume > Active - Kubernetes > Persistent Volume > Annotations - Kubernetes > Persistent Volume > Approved - Kubernetes > Persistent Volume > CMDB - Kubernetes > Persistent Volume > Labels - Kubernetes > Persistent Volume > Query - Kubernetes > Pod > Active - Kubernetes > ReplicaSet > Active - Kubernetes > ReplicationController > Active - Kubernetes > ReplicationController > Annotations - Kubernetes > ReplicationController > Approved - Kubernetes > ReplicationController > CMDB - Kubernetes > ReplicationController > Labels - Kubernetes > ReplicationController > Query - Kubernetes > Service > Active - Kubernetes > StatefulSet > Active - Kubernetes > StatefulSet > Annotations - Kubernetes > StatefulSet > Approved - Kubernetes > StatefulSet > CMDB - Kubernetes > StatefulSet > Labels - Kubernetes > StatefulSet > Query _Policy Types_ - Kubernetes > Cluster > CMDB > Expiration - Kubernetes > Cluster > CMDB > Expiration > Expiration Days - Kubernetes > Cluster > osquery - Kubernetes > Cluster > osquery > Configuration - Kubernetes > ConfigMap > Active - Kubernetes > ConfigMap > Active > Age - Kubernetes > ConfigMap > Active > Last Modified - Kubernetes > CronJob > Active - Kubernetes > CronJob > Active > Age - Kubernetes > CronJob > Active > Last Modified - Kubernetes > CronJob > Annotations - Kubernetes > CronJob > Annotations > Template - Kubernetes > CronJob > Approved - Kubernetes > CronJob > Approved > Custom - Kubernetes > CronJob > CMDB - Kubernetes > CronJob > Labels - Kubernetes > CronJob > Labels > Template - Kubernetes > CronJob > osquery - Kubernetes > CronJob > osquery > Configuration - Kubernetes > CronJob > osquery > Configuration > Columns - Kubernetes > CronJob > osquery > Configuration > Interval - Kubernetes > CronJob > osquery > Configuration > Name - Kubernetes > DaemonSet > Active - Kubernetes > DaemonSet > Active > Age - Kubernetes > DaemonSet > Active > Last Modified - Kubernetes > DaemonSet > Annotations - Kubernetes > DaemonSet > Annotations > Template - Kubernetes > DaemonSet > Approved - Kubernetes > DaemonSet > Approved > Custom - Kubernetes > DaemonSet > CMDB - Kubernetes > DaemonSet > Labels - Kubernetes > DaemonSet > Labels > Template - Kubernetes > DaemonSet > osquery - Kubernetes > DaemonSet > osquery > Configuration - Kubernetes > DaemonSet > osquery > Configuration > Columns - Kubernetes > DaemonSet > osquery > Configuration > Interval - Kubernetes > DaemonSet > osquery > Configuration > Name - Kubernetes > Deployment > Active - Kubernetes > Deployment > Active > Age - Kubernetes > Deployment > Active > Last Modified - Kubernetes > Ingress > Active - Kubernetes > Ingress > Active > Age - Kubernetes > Ingress > Active > Last Modified - Kubernetes > Ingress > Annotations - Kubernetes > Ingress > Annotations > Template - Kubernetes > Ingress > Approved - Kubernetes > Ingress > Approved > Custom - Kubernetes > Ingress > CMDB - Kubernetes > Ingress > Labels - Kubernetes > Ingress > Labels > Template - Kubernetes > Ingress > osquery - Kubernetes > Ingress > osquery > Configuration - Kubernetes > Ingress > osquery > Configuration > Columns - Kubernetes > Ingress > osquery > Configuration > Interval - Kubernetes > Ingress > osquery > Configuration > Name - Kubernetes > Job > Active - Kubernetes > Job > Active > Age - Kubernetes > Job > Active > Last Modified - Kubernetes > Job > Annotations - Kubernetes > Job > Annotations > Template - Kubernetes > Job > Approved - Kubernetes > Job > Approved > Custom - Kubernetes > Job > CMDB - Kubernetes > Job > Labels - Kubernetes > Job > Labels > Template - Kubernetes > Job > osquery - Kubernetes > Job > osquery > Configuration - Kubernetes > Job > osquery > Configuration > Columns - Kubernetes > Job > osquery > Configuration > Interval - Kubernetes > Job > osquery > Configuration > Name - Kubernetes > Namespace > Active - Kubernetes > Namespace > Active > Age - Kubernetes > Namespace > Active > Last Modified - Kubernetes > Node > Active - Kubernetes > Node > Active > Age - Kubernetes > Node > Active > Last Modified - Kubernetes > Persistent Volume > Active - Kubernetes > Persistent Volume > Active > Age - Kubernetes > Persistent Volume > Active > Last Modified - Kubernetes > Persistent Volume > Annotations - Kubernetes > Persistent Volume > Annotations > Template - Kubernetes > Persistent Volume > Approved - Kubernetes > Persistent Volume > Approved > Custom - Kubernetes > Persistent Volume > CMDB - Kubernetes > Persistent Volume > Labels - Kubernetes > Persistent Volume > Labels > Template - Kubernetes > Persistent Volume > osquery - Kubernetes > Persistent Volume > osquery > Configuration - Kubernetes > Persistent Volume > osquery > Configuration > Columns - Kubernetes > Persistent Volume > osquery > Configuration > Interval - Kubernetes > Persistent Volume > osquery > Configuration > Name - Kubernetes > Pod > Active - Kubernetes > Pod > Active > Age - Kubernetes > Pod > Active > Last Modified - Kubernetes > ReplicaSet > Active - Kubernetes > ReplicaSet > Active > Age - Kubernetes > ReplicaSet > Active > Last Modified - Kubernetes > ReplicationController > Active - Kubernetes > ReplicationController > Active > Age - Kubernetes > ReplicationController > Active > Last Modified - Kubernetes > ReplicationController > Annotations - Kubernetes > ReplicationController > Annotations > Template - Kubernetes > ReplicationController > Approved - Kubernetes > ReplicationController > Approved > Custom - Kubernetes > ReplicationController > CMDB - Kubernetes > ReplicationController > Labels - Kubernetes > ReplicationController > Labels > Template - Kubernetes > ReplicationController > osquery - Kubernetes > ReplicationController > osquery > Configuration - Kubernetes > ReplicationController > osquery > Configuration > Columns - Kubernetes > ReplicationController > osquery > Configuration > Interval - Kubernetes > ReplicationController > osquery > Configuration > Name - Kubernetes > Service > Active - Kubernetes > Service > Active > Age - Kubernetes > Service > Active > Last Modified - Kubernetes > StatefulSet > Active - Kubernetes > StatefulSet > Active > Age - Kubernetes > StatefulSet > Active > Last Modified - Kubernetes > StatefulSet > Annotations - Kubernetes > StatefulSet > Annotations > Template - Kubernetes > StatefulSet > Approved - Kubernetes > StatefulSet > Approved > Custom - Kubernetes > StatefulSet > CMDB - Kubernetes > StatefulSet > Labels - Kubernetes > StatefulSet > Labels > Template - Kubernetes > StatefulSet > osquery - Kubernetes > StatefulSet > osquery > Configuration - Kubernetes > StatefulSet > osquery > Configuration > Columns - Kubernetes > StatefulSet > osquery > Configuration > Interval - Kubernetes > StatefulSet > osquery > Configuration > Name _Action Types_ - Kubernetes > Cluster > Router - Kubernetes > CronJob > Router - Kubernetes > DaemonSet > Router - Kubernetes > Ingress > Router - Kubernetes > Job > Router - Kubernetes > Persistent Volume > Router - Kubernetes > ReplicationController > Router - Kubernetes > StatefulSet > Router _Bug fixes_ - CMDB controls for various resources sometimes failed to process a large number of updates that occurred in quick succession via Cluster events. We’ve improved our GraphQL queries to handle such a load, and the controls will now be able to process such events more smoothly and reliably than before.

aws-s3 v5.25.0 - Ignore `headBucket` permission errors and allow the CMDB control to run its course to completion

Fri, 26 Jul 2024 09:00:00 GMT

_What's new?_ - The `AWS > S3 > Bucket > CMDB` control would go into an error state if Guardrails did not have permissions to call the `headBucket` operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the `AWS > S3 > Bucket > CMDB` policy to `Enforce: Enabled but ignore permission errors`.

Turbot Guardrails Enterprise (TE) v5.45.1 - Minor internal improvements

Thu, 25 Jul 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-appservice v5.11.2 - Bug fixed - Client Certificate Mode control for Web Apps did not handle the default `Ignore` setting correctly

Thu, 25 Jul 2024 09:00:00 GMT

_Bug fixes_ - In the previous version, we fixed an issue with the `Azure > App Service > Web App > Client Certificate Mode` control, ensuring that the Client Certificate Mode is set to `Require` correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of `Ignore`. We have now addressed all cases, and the control will work more reliably and consistently than before.

Turbot Guardrails Enterprise Foundation (TEF) v1.61.0 - Updated AWS Lambda function architecture to ARM64 for improved performance and cost efficiency

Mon, 22 Jul 2024 09:00:00 GMT

_What's new?_ - Updated AWS Lambda function architecture to ARM64 for improved performance and cost efficiency.

Turbot Guardrails Enterprise (TE) v5.45.0 - Cost optimizations with ARM64 Lambda functions and enhanced Redis memory management

Mon, 22 Jul 2024 09:00:00 GMT

_What's new?_ - Server - Improved memory optimization for Redis. - Updated all AWS Lambda functions in the TE environment to use ARM64 architecture for improved performance and cost efficiency. - Allow notifications rules to accept nunjucks for Email address. - Updated several node packages to newer versions for improved functionality and security. - UI - `Smart Folders` are now called `Policy Packs`. - Now you can add AKA while creating `Policy Packs` from UI. _Bug fixes_ - Server - Fixed an issue where controls remained in TBD state for accounts imported without an External ID. - UI - Removed the unsupported feature for rearranging `Policy Packs` from the UI. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-kubernetes v5.1.1 - Import Set policies for various Kubernetes resources will no longer include the `Enforce: Sync` policy value

Mon, 22 Jul 2024 09:00:00 GMT

_Bug fixes_ - The Import Set policies for various Kubernetes resources will no longer include the `Enforce: Sync` policy value for integrating Import Sets in ServiceNow.

servicenow-gcp-storage v5.3.0 - Added Object > ServiceNow > Import Set controls and policies

Mon, 22 Jul 2024 09:00:00 GMT

_Control Types_ - GCP > Storage > Object > ServiceNow > Import Set _Policy Types_ - GCP > Storage > Object > ServiceNow > Import Set - GCP > Storage > Object > ServiceNow > Import Set > Archive Columns - GCP > Storage > Object > ServiceNow > Import Set > Record - GCP > Storage > Object > ServiceNow > Import Set > Table Name

servicenow-gcp-computeengine v5.2.0 - Added Import Set controls and policies for various Compute Engine resource types

Mon, 22 Jul 2024 09:00:00 GMT

_Control Types_ - GCP > Compute Engine > Disk > ServiceNow > Import Set - GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set - GCP > Compute Engine > Health Check > ServiceNow > Import Set - GCP > Compute Engine > Image > ServiceNow > Import Set - GCP > Compute Engine > Instance > ServiceNow > Import Set - GCP > Compute Engine > Instance Template > ServiceNow > Import Set - GCP > Compute Engine > Node Group > ServiceNow > Import Set - GCP > Compute Engine > Node template > ServiceNow > Import Set - GCP > Compute Engine > Project > ServiceNow > Import Set - GCP > Compute Engine > Region Disk > ServiceNow > Import Set - GCP > Compute Engine > Region Health Check > ServiceNow > Import Set - GCP > Compute Engine > Snapshot > ServiceNow > Import Set _Policy Types_ - GCP > Compute Engine > Disk > ServiceNow > Import Set - GCP > Compute Engine > Disk > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Disk > ServiceNow > Import Set > Record - GCP > Compute Engine > Disk > ServiceNow > Import Set > Table Name - GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set - GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Record - GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Table Name - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Record - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Health Check > ServiceNow > Import Set - GCP > Compute Engine > Health Check > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Health Check > ServiceNow > Import Set > Record - GCP > Compute Engine > Health Check > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Image > ServiceNow > Import Set - GCP > Compute Engine > Image > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Image > ServiceNow > Import Set > Record - GCP > Compute Engine > Image > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Instance > ServiceNow > Import Set - GCP > Compute Engine > Instance > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Instance > ServiceNow > Import Set > Record - GCP > Compute Engine > Instance > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Instance Template > ServiceNow > Import Set - GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Record - GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Node Group > ServiceNow > Import Set - GCP > Compute Engine > Node Group > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Node Group > ServiceNow > Import Set > Record - GCP > Compute Engine > Node Group > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Node template > ServiceNow > Import Set - GCP > Compute Engine > Node template > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Node template > ServiceNow > Import Set > Record - GCP > Compute Engine > Node template > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Project > ServiceNow > Import Set - GCP > Compute Engine > Project > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Project > ServiceNow > Import Set > Record - GCP > Compute Engine > Project > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Region Disk > ServiceNow > Import Set - GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Record - GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Region Health Check > ServiceNow > Import Set - GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Record - GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Table Name - GCP > Compute Engine > Snapshot > ServiceNow > Import Set - GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Archive Columns - GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Record - GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Table Name

servicenow-azure-storage v5.3.0 - Added Import Set controls and policies for various Storage resource types

Mon, 22 Jul 2024 09:00:00 GMT

_Control Types_ - Azure > Storage > Container > ServiceNow > Import Set - Azure > Storage > FileShare > ServiceNow > Import Set - Azure > Storage > Queue > ServiceNow > Import Set _Policy Types_ - Azure > Storage > Container > ServiceNow > Import Set - Azure > Storage > Container > ServiceNow > Import Set > Archive Columns - Azure > Storage > Container > ServiceNow > Import Set > Record - Azure > Storage > Container > ServiceNow > Import Set > Table Name - Azure > Storage > FileShare > ServiceNow > Import Set - Azure > Storage > FileShare > ServiceNow > Import Set > Archive Columns - Azure > Storage > FileShare > ServiceNow > Import Set > Record - Azure > Storage > FileShare > ServiceNow > Import Set > Table Name - Azure > Storage > Queue > ServiceNow > Import Set - Azure > Storage > Queue > ServiceNow > Import Set > Archive Columns - Azure > Storage > Queue > ServiceNow > Import Set > Record - Azure > Storage > Queue > ServiceNow > Import Set > Table Name

servicenow-azure-compute v5.1.0 - Added Import Set controls and policies for various Compute resource types

Mon, 22 Jul 2024 09:00:00 GMT

_Control Types_ - Azure > Compute > Availability Set > ServiceNow > Import Set - Azure > Compute > Disk > ServiceNow > Import Set - Azure > Compute > Disk Encryption Set > ServiceNow > Import Set - Azure > Compute > Image > ServiceNow > Import Set - Azure > Compute > Snapshot > ServiceNow > Import Set - Azure > Compute > Ssh Public Key > ServiceNow > Import Set - Azure > Compute > Virtual Machine > ServiceNow > Import Set - Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set _Policy Types_ - Azure > Compute > Availability Set > ServiceNow > Import Set - Azure > Compute > Availability Set > ServiceNow > Import Set > Archive Columns - Azure > Compute > Availability Set > ServiceNow > Import Set > Record - Azure > Compute > Availability Set > ServiceNow > Import Set > Table Name - Azure > Compute > Disk > ServiceNow > Import Set - Azure > Compute > Disk > ServiceNow > Import Set > Archive Columns - Azure > Compute > Disk > ServiceNow > Import Set > Record - Azure > Compute > Disk > ServiceNow > Import Set > Table Name - Azure > Compute > Disk Encryption Set > ServiceNow > Import Set - Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Archive Columns - Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Record - Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Table Name - Azure > Compute > Image > ServiceNow > Import Set - Azure > Compute > Image > ServiceNow > Import Set > Archive Columns - Azure > Compute > Image > ServiceNow > Import Set > Record - Azure > Compute > Image > ServiceNow > Import Set > Table Name - Azure > Compute > Snapshot > ServiceNow > Import Set - Azure > Compute > Snapshot > ServiceNow > Import Set > Archive Columns - Azure > Compute > Snapshot > ServiceNow > Import Set > Record - Azure > Compute > Snapshot > ServiceNow > Import Set > Table Name - Azure > Compute > Ssh Public Key > ServiceNow > Import Set - Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Archive Columns - Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Record - Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Table Name - Azure > Compute > Virtual Machine > ServiceNow > Import Set - Azure > Compute > Virtual Machine > ServiceNow > Import Set > Archive Columns - Azure > Compute > Virtual Machine > ServiceNow > Import Set > Record - Azure > Compute > Virtual Machine > ServiceNow > Import Set > Table Name - Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set - Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Archive Columns - Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Record - Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Table Name

servicenow-aws-s3 v5.1.0 - Added Bucket > ServiceNow > Import Set controls and policies

Mon, 22 Jul 2024 09:00:00 GMT

_Control Types_ - AWS > S3 > Bucket > ServiceNow > Import Set _Policy Types_ - AWS > S3 > Bucket > ServiceNow > Import Set - AWS > S3 > Bucket > ServiceNow > Import Set > Archive Columns - AWS > S3 > Bucket > ServiceNow > Import Set > Record - AWS > S3 > Bucket > ServiceNow > Import Set > Table Name

servicenow-aws v5.1.0 - Added support for archiving Import Sets in ServiceNow

Mon, 22 Jul 2024 09:00:00 GMT

_What's new?_ - Added support to archive Import Sets in ServiceNow.

azure-appservice v5.11.1 - Bug fixed - Client Certificate Mode control for Web Apps did not apply `Enforce: Require` settings correctly

Fri, 19 Jul 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > App Service > Web App > Client Certificate Mode` control did not apply `Enforce: Require` settings correctly. This is now fixed.

gcp-monitoring v5.7.0 - Added support for `google_monitoring_alert_policy` and `google_monitoring_notification_channel` Terraform resources

Thu, 18 Jul 2024 09:00:00 GMT

_What's new?_ - Added support for `google_monitoring_alert_policy` and `google_monitoring_notification_channel` Terraform resources. _Control Types_ - GCP > Monitoring > Alert Policy > Configured - GCP > Monitoring > Notification Channel > Configured _Policy Types_ - GCP > Monitoring > Alert Policy > Configured - GCP > Monitoring > Alert Policy > Configured > Claim Precedence - GCP > Monitoring > Alert Policy > Configured > Source - GCP > Monitoring > Notification Channel > Configured - GCP > Monitoring > Notification Channel > Configured > Claim Precedence - GCP > Monitoring > Notification Channel > Configured > Source

gcp-logging v5.5.0 - Added support for `google_logging_metric` Terraform resource

Thu, 18 Jul 2024 09:00:00 GMT

_What's new?_ - Added support for `google_logging_metric` Terraform resource. _Control Types_ - GCP > Logging > Metric > Configured _Policy Types_ - GCP > Logging > Metric > Configured - GCP > Logging > Metric > Configured > Claim Precedence - GCP > Logging > Metric > Configured > Source

azure-storage v5.18.1 - Bug fixed - Queue logging control failed to set logging properties correctly

Thu, 18 Jul 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Storage > Storage Account > Queue > Logging` control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.

aws-iam v5.36.2 - Improved descriptions for various IAM Resource Types to ensure they are clearer and more helpful

Thu, 18 Jul 2024 09:00:00 GMT

_Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

aws-ec2 v5.41.2 - Improved descriptions for various EC2 Resource Types to ensure they are clearer and more helpful

Thu, 18 Jul 2024 09:00:00 GMT

_Bug fixes_ - Improved descriptions for various resource types to ensure they are clearer and more helpful.

gcp-computeengine v5.9.0 - Configure Shielded Instance Configuration for instances

Tue, 16 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now configure Shielded Instance Configuration for instances. To get started, set `GCP > Compute > Instance > Shielded Instance Configuration > *` policies. _Control Types_ - GCP > Compute Engine > Instance > Shielded Instance Configuration _Policy Types_ - GCP > Compute Engine > Instance > Shielded Instance Configuration - GCP > Compute Engine > Instance > Shielded Instance Configuration > Integrity Monitoring - GCP > Compute Engine > Instance > Shielded Instance Configuration > Secure Boot - GCP > Compute Engine > Instance > Shielded Instance Configuration > vTPM _Action Types_ - GCP > Compute Engine > Instance > Set Shielded Instance Configuration

azure-cisv2-0 v5.1.0 - Added support for control 5.01.06 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Tue, 16 Jul 2024 09:00:00 GMT

_What's new?_ - The `Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)` control will also evaluate SQL databases for SKU Basic/Consumption. _Control Types_ - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics _Policy Types_ - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group flow logs are captured and sent to Log Analytics _Bug fixes_ - The `Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key` control did not evaluate the result correctly, as expected. This is now fixed.

Terraform Provider v1.11.1 - Added documentation for `akas` attribute for `turbot_policy_pack` resource

Mon, 15 Jul 2024 09:00:00 GMT

_What's new?_ DOCUMENTATION: * `resource/turbot_policy_pack`: Added documentation for `akas` attribute for the resource. ([#179](https://github.com/turbot/terraform-provider-turbot/issues/179))

gcp-sql v5.10.0 - Configure Encryption In Transit for Instances

Mon, 15 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now configure Encryption In Transit for instances. To get started, set the `GCP > SQL > Instance > Encryption In Transit` policy. _Control Types_ - GCP > SQL > Instance > Encryption In Transit _Policy Types_ - GCP > SQL > Instance > Encryption In Transit _Action Types_ - GCP > SQL > Instance > Update Encryption in Transit

gcp-cisv2-0 v5.1.0 - Added controls related to IAM API Keys in section 1 - Identity and Access Management

Mon, 15 Jul 2024 09:00:00 GMT

_What's new?_ _Control Types_ - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days _Policy Types_ - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days

azure-network v5.17.0 - Upgrade SKU from Basic to Standard for Public IP Addresses

Mon, 15 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now upgrade the SKU from `Basic` to `Standard` for Public IP Addresss via `Azure > Network > Public IP Address > Standard SKU` control. To get started, set the `Azure > Network > Public IP Address > Standard SKU` policy. _Control Types_ - Azure > Network > Public IP Address > Standard SKU _Policy Types_ - Azure > Network > Public IP Address > Standard SKU - Azure > Network > Public IP Address > Standard SKU > SKU Tier _Action Types_ - Azure > Network > Public IP Address > Update SKU to Standard

azure-cosmosdb v5.6.0 - Configure Firewall and Virtual Network settings for Database Accounts

Mon, 15 Jul 2024 09:00:00 GMT

_What's new?_ - We've added guardrails to help secure access to your database accounts' public endpoints. All database accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining [firewall and virtual network rules](https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint). To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration: `Azure > Cosmos DB > Database Account > Firewall` - Configure default access rules for the public endpoint `Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved` - Remove unapproved IP ranges `Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required` - Grant access to specific IP ranges `Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved` - Remove unapproved virtual network subnets `Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required` - Grant access to specific virtual network subnets Please note that if the `Azure > Cosmos DB > Database Account > Firewall` policy is set to `Enforce: Allow only approved virtual networks and IP ranges`, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts. _Control Types_ - Azure > Cosmos DB > Database Account > Firewall - Azure > Cosmos DB > Database Account > Firewall > IP Ranges - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required _Policy Types_ - Azure > Cosmos DB > Database Account > Firewall - Azure > Cosmos DB > Database Account > Firewall > IP Ranges - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > CIDR Ranges - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Compiled Rules - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Rules - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Compiled Items - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Exceptions - Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Items - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Compiled Rules - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Rules - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Subnets - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required - Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required > Items _Action Types_ - Azure > Cosmos DB > Database Account > Update Firewall Default Access Rule - Azure > Cosmos DB > Database Account > Update Firewall IP Ranges - Azure > Cosmos DB > Database Account > Update Firewall Virtual Networks _Bug fixes_ - Various Discovery and CMDB controls entered an error state because they used outdated APIs that no longer functioned as expected. We have updated internal package dependencies, and those controls now operate smoothly as intended.

Turbot Guardrails Enterprise Foundation (TEF) v1.60.0 - Resolved an issue where an empty outbound_cidr_ranges SSM parameter caused a validation error

Fri, 12 Jul 2024 09:00:00 GMT

_Bug fixes_ - Resolved an issue where an empty outbound_cidr_ranges SSM parameter caused a validation error. Now, if the outbound_cidr_ranges parameter is empty, it will be set to None. _What's new?_ - Added M7i and M7i-flex instance type. - Updated the HealthCheckProxy lambda function to use python 3.10.

gcp v5.24.4 - Bug fixed - Project CMDB control would go into error if Access Transparency was disabled

Fri, 12 Jul 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Project > CMDB` control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.

gcp-sql v5.9.0 - Configure Authorized Networks and Database Flags for Instances

Fri, 12 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now configure authorized networks for instances in Guardrails. To get started, set the `GCP > SQL > Instance > Authorized Network > *` policies. - Users can now configure Database Flags for instances in Guardrails. To get started, set the `GCP > SQL > Instance > Database Flags` policy. - Users can now clean up and stop tracking SQL resources in Guardrails. To get started, set the `GCP > SQL > CMDB` policy to `Enforce: Disabled`. _Control Types_ - GCP > SQL > Instance > Authorized Network - GCP > SQL > Instance > Authorized Network > Approved - GCP > SQL > Instance > Database Flags _Policy Types_ - GCP > SQL > Instance > Authorized Network - GCP > SQL > Instance > Authorized Network > Approved - GCP > SQL > Instance > Authorized Network > Approved > CIDR Ranges - GCP > SQL > Instance > Database Flags - GCP > SQL > Instance > Database Flags > MySQL - GCP > SQL > Instance > Database Flags > MySQL > Template - GCP > SQL > Instance > Database Flags > PostgreSQL - GCP > SQL > Instance > Database Flags > PostgreSQL > Template - GCP > SQL > Instance > Database Flags > SQL Server - GCP > SQL > Instance > Database Flags > SQL Server > Template _Action Types_ - GCP > SQL > Instance > Update Authorized Network - GCP > SQL > Instance > Update Database Flags

azure-storage v5.18.0 - Controls and Actions now use latest Azure SDK versions to discover and manage Storage resources in Guardrails

Fri, 12 Jul 2024 09:00:00 GMT

_What's new?_ - We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes **breaking changes** in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below. Renamed: - `serviceProperties.blob.DeleteRetentionPolicy` to `serviceProperties.blob.deleteRetentionPolicy` - `serviceProperties.blob.DeleteRetentionPolicy.Days` to `serviceProperties.blob.deleteRetentionPolicy.days` - `serviceProperties.blob.DeleteRetentionPolicy.Enabled` to `serviceProperties.blob.deleteRetentionPolicy.enabled` - `serviceProperties.blob.StaticWebsite` to `serviceProperties.blob.staticWebsite` - `serviceProperties.blob.StaticWebsite.Enabled` to `serviceProperties.blob.staticWebsite.enabled` - `serviceProperties.blob.logging` to `serviceProperties.blob.blobAnalyticsLogging` - `serviceProperties.queue.logging` to `serviceProperties.queue.queueAnalyticsLogging` Added: - `serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDelete` Modified: - The data type of the attribute `serviceProperties.blob.cors` has been changed from string (`""`) to array (`[]`). - The data type of the attribute `serviceProperties.queue.cors` has been changed from string (`""`) to array (`[]`). - Users can now enable/disable `Blob logging` for storage accounts. To get started, set the `Azure > Storage > Storage Account > Blob > Logging > *` policies. - Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the `Azure > Storage > Storage Account > Approved > Infrastructure Encryption` policy. _Control Types_ - Azure > Storage > Storage Account > Blob - Azure > Storage > Storage Account > Blob > Logging _Renamed_ - Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access _Policy Types_ - Azure > Storage > Storage Account > Approved > Infrastructure Encryption - Azure > Storage > Storage Account > Blob - Azure > Storage > Storage Account > Blob > Logging - Azure > Storage > Storage Account > Blob > Logging > Properties - Azure > Storage > Storage Account > Blob > Logging > Retention Days _Renamed_ - Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access _Action Types_ - Azure > Storage > Storage Account > Update Storage Account Blob Logging _Renamed_ - Azure > Storage > Storage Account > Set Public Access to Azure > Storage > Storage Account > Set Blob Public Access

azure-appservice v5.11.0 - Configure Client Certificate Mode for Web Apps

Fri, 12 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now configure Client Certificate Mode for web apps. To get started, set the `Azure > App Service > Web App > Client Certificate Mode` policy. _Control Types_ - Azure > App Service > Web App > Client Certificate Mode _Policy Types_ - Azure > App Service > Web App > Client Certificate Mode _Action Types_ - Azure > App Service > Web App > Set Client Certificate Mode

Terraform Provider v1.11.0 - Added `turbot_policy_pack` and `turbot_policy_pack_attachment` resources

Thu, 11 Jul 2024 09:00:00 GMT

_What's new?_ FEATURES: * **New Resource:** `turbot_policy_pack` ([#171](https://github.com/turbot/terraform-provider-turbot/issues/171)) * **New Resource:** `turbot_policy_pack_attachment` ([#173](https://github.com/turbot/terraform-provider-turbot/issues/173)) ENHANCEMENTS: * `resource/turbot_smart_folder`: The `parent` argument is now optional and defaults to `tmod:@turbot/turbot#/`. ([#177](https://github.com/turbot/terraform-provider-turbot/issues/177))

gcp-iam v5.15.0 - Track and manage IAM API Keys in Guardrails

Thu, 11 Jul 2024 09:00:00 GMT

_What's new?_ _Resource Types_ - GCP > IAM > API Key _Control Types_ - GCP > IAM > API Key > Active - GCP > IAM > API Key > Approved - GCP > IAM > API Key > CMDB - GCP > IAM > API Key > Discovery - GCP > IAM > API Key > Usage _Policy Types_ - GCP > IAM > API Key > Active - GCP > IAM > API Key > Active > Age - GCP > IAM > API Key > Active > Last Modified - GCP > IAM > API Key > Approved - GCP > IAM > API Key > Approved > Custom - GCP > IAM > API Key > Approved > Usage - GCP > IAM > API Key > CMDB - GCP > IAM > API Key > Usage - GCP > IAM > API Key > Usage > Limit _Action Types_ - GCP > IAM > API Key > Delete - GCP > IAM > API Key > Router

gcp-bigquery v5.7.0 - Configure Encryption at Rest for Datasets

Thu, 11 Jul 2024 09:00:00 GMT

_What's new?_ - You can now configure Encryption at Rest for datasets. To get started, set the `GCP > BigQuery > Dataset > Encryption at Rest > *` policies. _Control Types_ - GCP > BigQuery > Dataset > Encryption at Rest _Policy Types_ - GCP > BigQuery > Dataset > Encryption at Rest - GCP > BigQuery > Dataset > Encryption at Rest > Customer Managed Key _Action Types_ - GCP > BigQuery > Dataset > Update Encryption At Rest

servicenow-kubernetes v5.1.0 - Added ServiceNow > Import Set controls and policies for various resource types

Tue, 09 Jul 2024 09:00:00 GMT

_What's new?_ _Control Types_ - Kubernetes > Cluster > ServiceNow > Import Set - Kubernetes > ConfigMap > ServiceNow > Import Set - Kubernetes > Deployment > ServiceNow > Import Set - Kubernetes > Namespace > ServiceNow > Import Set - Kubernetes > Node > ServiceNow > Import Set - Kubernetes > Pod > ServiceNow > Import Set - Kubernetes > ReplicaSet > ServiceNow > Import Set - Kubernetes > Service > ServiceNow > Import Set _Policy Types_ - Kubernetes > Cluster > ServiceNow > Import Set - Kubernetes > Cluster > ServiceNow > Import Set > Archive Columns - Kubernetes > Cluster > ServiceNow > Import Set > Record - Kubernetes > Cluster > ServiceNow > Import Set > Table Name - Kubernetes > ConfigMap > ServiceNow > Import Set - Kubernetes > ConfigMap > ServiceNow > Import Set > Archive Columns - Kubernetes > ConfigMap > ServiceNow > Import Set > Record - Kubernetes > ConfigMap > ServiceNow > Import Set > Table Name - Kubernetes > Deployment > ServiceNow > Import Set - Kubernetes > Deployment > ServiceNow > Import Set > Archive Columns - Kubernetes > Deployment > ServiceNow > Import Set > Record - Kubernetes > Deployment > ServiceNow > Import Set > Table Name - Kubernetes > Namespace > ServiceNow > Import Set - Kubernetes > Namespace > ServiceNow > Import Set > Archive Columns - Kubernetes > Namespace > ServiceNow > Import Set > Record - Kubernetes > Namespace > ServiceNow > Import Set > Table Name - Kubernetes > Node > ServiceNow > Import Set - Kubernetes > Node > ServiceNow > Import Set > Archive Columns - Kubernetes > Node > ServiceNow > Import Set > Record - Kubernetes > Node > ServiceNow > Import Set > Table Name - Kubernetes > Pod > ServiceNow > Import Set - Kubernetes > Pod > ServiceNow > Import Set > Archive Columns - Kubernetes > Pod > ServiceNow > Import Set > Record - Kubernetes > Pod > ServiceNow > Import Set > Table Name - Kubernetes > ReplicaSet > ServiceNow > Import Set - Kubernetes > ReplicaSet > ServiceNow > Import Set > Archive Columns - Kubernetes > ReplicaSet > ServiceNow > Import Set > Record - Kubernetes > ReplicaSet > ServiceNow > Import Set > Table Name - Kubernetes > Service > ServiceNow > Import Set - Kubernetes > Service > ServiceNow > Import Set > Archive Columns - Kubernetes > Service > ServiceNow > Import Set > Record - Kubernetes > Service > ServiceNow > Import Set > Table Name

aws-ec2 v5.41.1 - Bug fixed - Guardrails failed to process real-time snapshot events if the Snapshot CMDB policy was set to `Enforce: Enabled for Snapshots not created with AWS Backup`

Tue, 09 Jul 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to process real-time snapshot events if the `AWS > EC2 > Snapshot > CMDB` policy was set to `Enforce: Enabled for Snapshots not created with AWS Backup`. This issue has now been fixed.

gcp-dns v5.8.0 - Configure DNSSEC for managed zones and logging for DNS policies

Mon, 08 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now configure DNSSEC for managed zones via Guardrails. To get started, set the`GCP > DNS > Managed Zone > DNSSEC Configuration` policy. - Users can now configure logging for DNS policies. To get started, set the `GCP > DNS > Policy > Logging` policy. _Control Types_ - GCP > DNS > Managed Zone > DNSSEC Configuration - GCP > DNS > Policy > Logging _Policy Types_ - GCP > DNS > Managed Zone > DNSSEC Configuration - GCP > DNS > Policy > Logging _Action Types_ - GCP > DNS > Managed Zone > Update DNSSEC Configuration - GCP > DNS > Policy > Update Logging

azure-network v5.16.4 - Bug fixed - Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB

Mon, 08 Jul 2024 09:00:00 GMT

_Bug fixes_ - Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.

azure-compute v5.17.0 - Configure Trusted Launch for second generation virtual machines

Mon, 08 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now enable/disable Trusted Launch for all second generation virtual machines. To get started, set the `Azure > Compute > Virtual Machine > Trusted launch` policy. - You can now configure Encryption at Rest for Disks. To get started, set the `Azure > Compute > Disk > Encryption at Rest > *` policies. _Control Types_ - Azure > Compute > Disk > Encryption at Rest - Azure > Compute > Virtual Machine > Trusted Launch _Policy Types_ - Azure > Compute > Disk > Encryption at Rest - Azure > Compute > Disk > Encryption at Rest > Disk Encryption Set - Azure > Compute > Virtual Machine > Trusted launch _Action Types_ - Azure > Compute > Disk > Update Encryption at Rest - Azure > Compute > Virtual Machine > Update Trusted Luanch

azure-appservice v5.10.0 - Register web apps with Entra ID to connect to other Azure services securely

Mon, 08 Jul 2024 09:00:00 GMT

_What's new?_ - User can now register web apps with Entra ID to connect to other Azure services securely without the need for usernames and passwords. To get started, set the `Azure > App Service > Web App > System Assigned Identity` policy. - Diagnostic Settings details will now also be available for Web Apps in Guardrails CMDB. _Control Types_ - Azure > App Service > Web App > System Assigned Identity _Policy Types_ - Azure > App Service > Web App > System Assigned Identity _Action Types_ - Azure > App Service > Web App > Set System Assigned Identity _Bug fixes_ - The `Azure > App Service > Web App > FTPS State` control failed to set the FTPS State correctly for web apps. This issue is now fixed.

gcp-bigquery v5.6.0 - Added support for Approved > Custom policy for Datasets

Fri, 05 Jul 2024 09:00:00 GMT

_What's new?_ _Policy Types_ - GCP > BigQuery > Dataset > Approved > Custom

azure-networkwatcher v5.9.0 - Configure retention policy for flow logs

Fri, 05 Jul 2024 09:00:00 GMT

_What's new?_ - Users can now configure retention policy for flow logs. To get started, set the `Azure > Network Watcher > Flow Log > Retention Policy > *` policies. _Control Types_ - Azure > Network Watcher > Flow Log > Retention Policy _Policy Types_ - Azure > Network Watcher > Flow Log > Retention Policy - Azure > Network Watcher > Flow Log > Retention Policy > Days _Action Types_ - Azure > Network Watcher > Flow Log > Update Retention Policy

azure-activedirectory v5.6.0 - Directory CMDB data will now also include named locations and authorization policy details

Fri, 05 Jul 2024 09:00:00 GMT

_What's new?_ - The `Azure > Active Directory > Directory > CMDB` control will now also fetch named locations and authorization policy details and store them in CMDB.

aws-iam v5.36.1 - Bug fixed - Account Password Policy details did not refresh correctly in Guardrails CMDB

Fri, 05 Jul 2024 09:00:00 GMT

_Bug fixes_ - Account Password Policy details did not refresh correctly in Guardrails CMDB if those settings were reset to defaults in AWS. This resulted in the `AWS > IAM > Account Password Policy > Settings` control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.

azure-securitycenter v5.4.1 - Security Center CMDB data will now also include security settings details

Thu, 04 Jul 2024 09:00:00 GMT

_What's new?_ - The `Azure > Security Center > Security Center > CMDB` control will now also fetch security settings details and store them in CMDB.

aws-rds v5.26.3 - Bug fixed - Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB

Thu, 04 Jul 2024 09:00:00 GMT

Turbot Guardrails Enterprise (TE) v5.44.7 - Resolved an issue that caused control targeting to accounts fail when AWS Gov accounts were imported in commercial environment

Wed, 03 Jul 2024 09:00:00 GMT

_Bug fixes_ - Server - Resolved an issue that caused control targeting to accounts fail when AWS Gov accounts were imported in commercial environment. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-gcp-storage v5.2.1 - Fixed GCP > Storage > Bucket > ServiceNow > Import Set > Record default value

Wed, 03 Jul 2024 09:00:00 GMT

_Bug fixes_ The default value for `GCP > Storage > Bucket > ServiceNow > Import Set` now shows the `resource_type_uri` correctly.

servicenow-gcp-storage v5.2.0 - Added Bucket > ServiceNow > Import Set controls and policies

Wed, 03 Jul 2024 09:00:00 GMT

_Control Types_ **Added** - GCP > Storage > Bucket > ServiceNow > Import Set _Policy Types_ **Added** - GCP > Storage > Bucket > ServiceNow > Import Set - GCP > Storage > Bucket > ServiceNow > Import Set > Archive Columns - GCP > Storage > Bucket > ServiceNow > Import Set > Record - GCP > Storage > Bucket > ServiceNow > Import Set > Table Name

servicenow-gcp v5.2.0 - Records can now be archived when using import sets

Wed, 03 Jul 2024 09:00:00 GMT

_What's new?_ - `ServiceNow > Turbot > Watches > GCP Archive and Delete Record` action now supports archiving `Import Set` records.

servicenow-azure-storage v5.2.0 - Added Storage Account > ServiceNow > Import Set controls and policies

Wed, 03 Jul 2024 09:00:00 GMT

_Control Types_ **Added** - Azure > Storage > Storage Account > ServiceNow > Import Set _Policy Types_ **Added** - Azure > Storage > Storage Account > ServiceNow > Import Set - Azure > Storage > Storage Account > ServiceNow > Import Set > Archive Columns - Azure > Storage > Storage Account > ServiceNow > Import Set > Record - Azure > Storage > Storage Account > ServiceNow > Import Set > Table Name

servicenow-azure v5.2.0 - Records can now be archived when using import sets

Wed, 03 Jul 2024 09:00:00 GMT

_What's new?_ - `ServiceNow > Turbot > Watches > Azure Archive and Delete Record` action now supports archiving `Import Set` records.

servicenow v5.1.0 - Fixed default values for various CMDB policies and add Import Set default table name policy

Wed, 03 Jul 2024 09:00:00 GMT

_Bug fixes_ - Default policy values for `ServiceNow > Application > CMDB`, `ServiceNow > Cost Center > CMDB` & `ServiceNow > User > CMDB` have been updated from `Enforce: Enabled` to `Skip`. _Policy Types_ **Added** - ServiceNow > Import Set - ServiceNow > Import Set > Table Name [Default]

Turbot Guardrails Enterprise (TE) v5.44.6 - Minor internal improvements

Tue, 02 Jul 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.44.5 - The OUTBOUND_SECURITY_GROUP_ID environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE

Mon, 01 Jul 2024 09:00:00 GMT

_Bug fixes_ - Server - The `OUTBOUND_SECURITY_GROUP_ID` environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-network v5.16.3 - The Security Group Ingress and Egress Approved controls would now revoke only the rejected port prefixes instead of deleting the entire rule

Mon, 01 Jul 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Network > Network Security Group > Ingress Rules > Approved` and `Azure > Network > Network Security Group > Egress Rules > Approved` controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.

aws-rds v5.26.2 - Bug fixed - The RDS DB Instance Approved control did not stop an unapproved instance if the corresponding policy was set to `Enforce: Stop unapproved` or `Enforce: Stop unapproved if new`, and deletion protection for the instance was enabled

Fri, 28 Jun 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > RDS > DB Instance > Approved` control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the `AWS > RDS > DB Cluster > Approved > *` policies. - The `AWS > RDS > DB Instance > Approved` control did not stop an unapproved instance if the corresponding policy was set to `Enforce: Stop unapproved` or `Enforce: Stop unapproved if new`, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.

Turbot Guardrails Enterprise (TE) v5.44.4 - Enhanced management of EncryptionInTransit topic policy

Thu, 27 Jun 2024 09:00:00 GMT

_What's new?_ - Server - The creation of the `EncryptionInTransit` TopicPolicy has shifted from a custom resource to AWS CloudFormation’s `AWS::SNS::TopicPolicy`. _Bug fixes_ - Server - Changes to notifications introduced in version 5.44.2 have been rolled back due to issues with specific queries. This action restores previous functionality and ensures stability across the platform. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.44.2 - Performance enhancements and UI improvements

Mon, 24 Jun 2024 09:00:00 GMT

_What's new?_ - Server - Made notifications faster by improving the query, which enhances the performance of the activity tab. - UI - The `Depends-on` tab on the controls page has been renamed to `Related`. It now includes the information from the Depends-on tab along with additional related controls information. _Bug fixes_ - Server - Fixed an issue where sometimes an older mod version was used instead of the latest one after a mod upgrade. Now, the cache is properly updated to always use the latest version. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-network v5.16.2 - Bug fixed - The Network Security Group Ingress Rules Approved control would sometimes fail to revoke rejected rules from a network security group

Mon, 24 Jun 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Network > Network Security Group > Ingress Rules > Approved` control would sometimes fail to revoke rejected rules when the corresponding policy was set to `Enforce: Delete unapproved`. This has been fixed, and the control will now work more reliably and consistently than before.

osquery v5.0.2 - The osquery Event Handler action would not handle events for large payloads

Tue, 18 Jun 2024 09:00:00 GMT

_Bug fixes_ - `Turbot > osquery > Event Handler` action was not able to handle events for large payloads. This issue is now fixed.

gcp v5.24.3 - Bug fixed - The Project CMDB control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project

Tue, 18 Jun 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Project > CMDB` control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.

azure-securitycenter v5.4.0 - Auto Provisioning for Security Center is now available

Mon, 17 Jun 2024 09:00:00 GMT

_Bug fixes_ - Users can now configure Auto Provisioning for Azure Security Center in Guardrails. To get started, set the `Azure > Security Center > Security Center > Auto Provisioning` policy. _Control Types_ - Azure > Security Center > Security Center > Auto Provisioning _Policy Types_ - Azure > Security Center > Security Center > Auto Provisioning _Action Types_ - Azure > Security Center > Security Center > Update Auto Provisioning

azure v5.19.0 - Subscription CMDB data will now also include tagging details for the subscription

Fri, 14 Jun 2024 09:00:00 GMT

_What's new?_ - Subscription CMDB data will now also include tagging details for the subscription.

azure-securitycenter v5.3.0 - The Security Center Defender Plan control now also supports services like Cloud Posture, Containers and Cosmos DB

Fri, 14 Jun 2024 09:00:00 GMT

_What's new?_ - The `Azure > Security Center > Security Center > Defender Plan` control now also supports services like Cloud Posture, Containers and Cosmos DB.

Turbot Guardrails Enterprise (TE) v5.44.1 - Added support for newer auth mechanism to fetch temporary Azure credentials

Thu, 13 Jun 2024 09:00:00 GMT

_What's new?_ - Server - Added support for newer auth mechanism to fetch temporary Azure credentials via the `@azure/msal-node` package. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-ec2 v5.41.0 - Skip upserting snapshots in Guardrails CMDB if they are created via the AWS Backup service

Thu, 13 Jun 2024 09:00:00 GMT

_What's new?_ - Users can now skip upserting snapshots in Guardrails CMDB if they are created via the AWS Backup service. To get started, set the `AWS > EC2 > Snapshot > CMDB` policy to `Enforce: Enabled for Snapshots not created with AWS Backup`.

aws v5.30.1 - Bug fixed - The Turbot Service Roles stack control did not work as expected when all policies except the Event Handlers [Global] policy were enabled

Tue, 11 Jun 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > Turbot > Service Roles > Source` policy went to an invalid state if all but the `AWS > Turbot > Service Roles > Event Handlers [Global]` policy was enabled. This issue impacted the `AWS > Turbot > Service Roles` stack control, preventing the role from being created correctly. This has been fixed, and the `AWS > Turbot > Service Roles > Source` policy will now work as expected.

aws-cisv3-0 v5.0.1 - `1.02 Ensure security contact information is registered` control will now evaluate the outcome correctly

Tue, 11 Jun 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered` control did not evaluate the result correctly, as expected. This is now fixed.

Turbot Guardrails Enterprise Foundation (TEF) v1.59.0 - Added support for new flags in the Flags attribute

Mon, 10 Jun 2024 09:00:00 GMT

_What's new?_ - Updated the existing *Flags* attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to *Flags* Attribute: - LAMBDA_IN_VPC_AWS - LAMBDA_IN_VPC_AZURE - LAMBDA_IN_VPC_GCP - LAMBDA_IN_VPC_SERVICENOW - Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.

Turbot Guardrails Enterprise (TE) v5.44.0 - Lambda functions now support static IPs with VPC integration.

Mon, 10 Jun 2024 09:00:00 GMT

_What's new?_ - Server - You can now configure Mod Lambda functions to run within a VPC across various providers including AWS, Azure, ServiceNow, and GCP. This update ensures Lambdas operate with static CIDR ranges. - Enhanced `osquery/logger` API to support payloads up to 10MB. _Requirements_ - TEF: 1.59.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-cisv2-0 v5.0.1 - Minor fixes and improvements

Mon, 10 Jun 2024 09:00:00 GMT

_Bug fixes_ - Minor fixes and improvements.

aws-cisv2-0 v5.0.2 - `1.02 Ensure security contact information is registered` control will now evaluate the outcome correctly

Mon, 10 Jun 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered` control did not evaluate the result correctly, as expected. This is now fixed.

azure-network v5.16.1 - The Ingress/Egress Rules Approved controls for Network Security Group Rules will now revoke rejected address prefixes individually instead of deleting an entire rule

Mon, 03 Jun 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Network > Network Security Group > Ingress Rules > Approved` and `Azure > Network > Network Security Group > Egress Rules > Approved` controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.

gcp-bigquerydatatransfer v5.0.1 - Fixed incorrect filter patterns in the Compiled Filter policy to allow Event Handlers to work as expected

Wed, 29 May 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Turbot > Event Handlers > Logging` would go into an Invalid state because of incorrect filter patterns defined in the `GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer` policy. This is fixed and the control will now work as expected.

gcp-network v5.13.1 - Guardrails would sometimes process the real-time event `compute.networks.delete` for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB

Tue, 28 May 2024 09:00:00 GMT

_Bug fixes_ - Guardrails would sometimes process the real-time event `compute.networks.delete` for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.

aws-appfabric v5.0.0 is now available

Tue, 28 May 2024 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > AppFabric _Policy Types_ - AWS > AppFabric > API Enabled - AWS > AppFabric > Approved Regions [Default] - AWS > AppFabric > Enabled - AWS > AppFabric > Permissions - AWS > AppFabric > Permissions > Levels - AWS > AppFabric > Permissions > Levels > Modifiers - AWS > AppFabric > Permissions > Lockdown - AWS > AppFabric > Permissions > Lockdown > API Boundary - AWS > AppFabric > Regions - AWS > AppFabric > Tags Template [Default] - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-appfabric - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-appfabric - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-appfabric

gcp-iam v5.14.0 - Approved control and its associated policies are now available for Project User resource type

Mon, 27 May 2024 09:00:00 GMT

_What's new?_ _Control Types_ - GCP > IAM > Project User > Approved _Policy Types_ - GCP > IAM > Project User > Approved - GCP > IAM > Project User > Approved > Custom - GCP > IAM > Project User > Approved > Usage

aws-s3 v5.24.1 - Guardrails failed to process the real-time event `s3:PutBucketReplication` for buckets

Fri, 24 May 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to process the real-time event `s3:PutBucketReplication` for buckets. This is now fixed. - The `AWS > S3 > Bucket > Access Logging` control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.

azure-storage v5.17.2 - System storage containers will now be discovered correctly in Guardrails

Thu, 16 May 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to discover system storage containers (e.g. `$logs`) for storage accounts. This is now fixed.

gcp v5.24.2 - Added support to process enable and disable real-time events for BigQuery Data Transfer API via Service Usage APIs

Wed, 15 May 2024 09:00:00 GMT

_Bug fixes_ - Added support to process enable and disable real-time events for BigQuery Data Transfer API via Service Usage APIs.

gcp-bigquerydatatransfer v5.0.0 is now available

Wed, 15 May 2024 09:00:00 GMT

## 5.0.0 (2024-05-15) _What's new?_ _Resource Types_ - GCP > BigQuery Data Transfer - GCP > BigQuery Data Transfer > Transfer Config _Control Types_ - GCP > BigQuery Data Transfer > API Enabled - GCP > BigQuery Data Transfer > CMDB - GCP > BigQuery Data Transfer > Discovery - GCP > BigQuery Data Transfer > Transfer Config > Active - GCP > BigQuery Data Transfer > Transfer Config > Approved - GCP > BigQuery Data Transfer > Transfer Config > CMDB - GCP > BigQuery Data Transfer > Transfer Config > Discovery - GCP > BigQuery Data Transfer > Transfer Config > Usage _Policy Types_ - GCP > BigQuery Data Transfer > API Enabled - GCP > BigQuery Data Transfer > Approved Regions [Default] - GCP > BigQuery Data Transfer > CMDB - GCP > BigQuery Data Transfer > Enabled - GCP > BigQuery Data Transfer > Permissions - GCP > BigQuery Data Transfer > Permissions > Levels - GCP > BigQuery Data Transfer > Permissions > Levels > Modifiers - GCP > BigQuery Data Transfer > Regions - GCP > BigQuery Data Transfer > Transfer Config > Active - GCP > BigQuery Data Transfer > Transfer Config > Active > Age - GCP > BigQuery Data Transfer > Transfer Config > Active > Last Modified - GCP > BigQuery Data Transfer > Transfer Config > Approved - GCP > BigQuery Data Transfer > Transfer Config > Approved > Custom - GCP > BigQuery Data Transfer > Transfer Config > Approved > Usage - GCP > BigQuery Data Transfer > Transfer Config > CMDB - GCP > BigQuery Data Transfer > Transfer Config > Regions - GCP > BigQuery Data Transfer > Transfer Config > Usage - GCP > BigQuery Data Transfer > Transfer Config > Usage > Limit - GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer - GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-bigquerydatatransfer - GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-bigquerydatatransfer _Action Types_ - GCP > BigQuery Data Transfer > Set API Enabled - GCP > BigQuery Data Transfer > Transfer Config > Delete - GCP > BigQuery Data Transfer > Transfer Config > Router

osquery v5.0.1 - Fixed control category titles

Tue, 14 May 2024 09:00:00 GMT

_Bug fixes_ - Fixed control category titles to use `osquery` instead of `Osquery`.

kubernetes v5.0.1 is now available

Tue, 14 May 2024 09:00:00 GMT

_Bug fixes_ - `Kubernetes > Node` resources will no longer include the `conditions.lastHeartbeatTime` or `resource_version` properties to avoid unnecessary notifications in the activity tab.

aws-eventbridgescheduler v5.0.0 is now available

Tue, 14 May 2024 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > EventBridge Scheduler _Policy Types_ - AWS > EventBridge Scheduler > API Enabled - AWS > EventBridge Scheduler > Approved Regions [Default] - AWS > EventBridge Scheduler > Enabled - AWS > EventBridge Scheduler > Permissions - AWS > EventBridge Scheduler > Permissions > Levels - AWS > EventBridge Scheduler > Permissions > Levels > Modifiers - AWS > EventBridge Scheduler > Permissions > Lockdown - AWS > EventBridge Scheduler > Permissions > Lockdown > API Boundary - AWS > EventBridge Scheduler > Regions - AWS > EventBridge Scheduler > Tags Template [Default] - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgescheduler - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgescheduler - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgescheduler

aws-eventbridgepipes v5.0.0 is now available

Tue, 14 May 2024 09:00:00 GMT

_What's new?_ _Resource Types_ - AWS > EventBridge Pipes _Policy Types_ - AWS > EventBridge Pipes > API Enabled - AWS > EventBridge Pipes > Approved Regions [Default] - AWS > EventBridge Pipes > Enabled - AWS > EventBridge Pipes > Permissions - AWS > EventBridge Pipes > Permissions > Levels - AWS > EventBridge Pipes > Permissions > Levels > Modifiers - AWS > EventBridge Pipes > Permissions > Lockdown - AWS > EventBridge Pipes > Permissions > Lockdown > API Boundary - AWS > EventBridge Pipes > Regions - AWS > EventBridge Pipes > Tags Template [Default] - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgepipes - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgepipes - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgepipes

Turbot Guardrails Enterprise (TE) v5.43.0 - Added support for osquery management and operations.

Mon, 13 May 2024 09:00:00 GMT

_What's new?_ - Server - Added a new GraphQL resolver for osquery to generate an enrollSecret. - Added new REST APIs for osquery management, which includes: - `api/latest/osquery/enroll` - `api/latest/osquery/config` - `api/latest/osquery/logger` - Introduced a dedicated worker, along with SQS FIFO queue and SNS topic FIFO, to run osquery operations. - Implemented a new `serviceNowCredential` resolver specifically for Kubernetes clusters. - Upgraded our SDK (`@turbot/sdk`) to version 5.15.0 and our fn toolkit (`@turbot/fn`) to version 5.22.0, to support FIFO queues. - UI - Added support for connecting to Kubernetes, facilitating easier integration and management. - Added report for AWS CIS v2.0. - Added report for AWS CIS v3.0. - Added report for Azure CIS v2.0. - Added report for GCP CIS v2.0. _Requirements_ - TEF: 1.58.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-kubernetes v5.0.0 is now available

Mon, 13 May 2024 09:00:00 GMT

_What's new?_ _Control Types_ - Kubernetes > Cluster > ServiceNow - Kubernetes > Cluster > ServiceNow > Configuration Item - Kubernetes > Cluster > ServiceNow > Table - Kubernetes > ConfigMap > ServiceNow - Kubernetes > ConfigMap > ServiceNow > Configuration Item - Kubernetes > ConfigMap > ServiceNow > Table - Kubernetes > Deployment > ServiceNow - Kubernetes > Deployment > ServiceNow > Configuration Item - Kubernetes > Deployment > ServiceNow > Table - Kubernetes > Namespace > ServiceNow - Kubernetes > Namespace > ServiceNow > Configuration Item - Kubernetes > Namespace > ServiceNow > Table - Kubernetes > Node > ServiceNow - Kubernetes > Node > ServiceNow > Configuration Item - Kubernetes > Node > ServiceNow > Table - Kubernetes > Pod > ServiceNow - Kubernetes > Pod > ServiceNow > Configuration Item - Kubernetes > Pod > ServiceNow > Table - Kubernetes > ReplicaSet > ServiceNow - Kubernetes > ReplicaSet > ServiceNow > Configuration Item - Kubernetes > ReplicaSet > ServiceNow > Table - Kubernetes > Service > ServiceNow - Kubernetes > Service > ServiceNow > Configuration Item - Kubernetes > Service > ServiceNow > Table - ServiceNow > Turbot > Watches > Kubernetes _Policy Types_ - Kubernetes > Cluster > ServiceNow - Kubernetes > Cluster > ServiceNow > Configuration Item - Kubernetes > Cluster > ServiceNow > Configuration Item > Record - Kubernetes > Cluster > ServiceNow > Configuration Item > Table Definition - Kubernetes > Cluster > ServiceNow > Table - Kubernetes > Cluster > ServiceNow > Table > Definition - Kubernetes > ConfigMap > ServiceNow - Kubernetes > ConfigMap > ServiceNow > Configuration Item - Kubernetes > ConfigMap > ServiceNow > Configuration Item > Record - Kubernetes > ConfigMap > ServiceNow > Configuration Item > Table Definition - Kubernetes > ConfigMap > ServiceNow > Table - Kubernetes > ConfigMap > ServiceNow > Table > Definition - Kubernetes > Deployment > ServiceNow - Kubernetes > Deployment > ServiceNow > Configuration Item - Kubernetes > Deployment > ServiceNow > Configuration Item > Record - Kubernetes > Deployment > ServiceNow > Configuration Item > Table Definition - Kubernetes > Deployment > ServiceNow > Table - Kubernetes > Deployment > ServiceNow > Table > Definition - Kubernetes > Namespace > ServiceNow - Kubernetes > Namespace > ServiceNow > Configuration Item - Kubernetes > Namespace > ServiceNow > Configuration Item > Record - Kubernetes > Namespace > ServiceNow > Configuration Item > Table Definition - Kubernetes > Namespace > ServiceNow > Table - Kubernetes > Namespace > ServiceNow > Table > Definition - Kubernetes > Node > ServiceNow - Kubernetes > Node > ServiceNow > Configuration Item - Kubernetes > Node > ServiceNow > Configuration Item > Record - Kubernetes > Node > ServiceNow > Configuration Item > Table Definition - Kubernetes > Node > ServiceNow > Table - Kubernetes > Node > ServiceNow > Table > Definition - Kubernetes > Pod > ServiceNow - Kubernetes > Pod > ServiceNow > Configuration Item - Kubernetes > Pod > ServiceNow > Configuration Item > Record - Kubernetes > Pod > ServiceNow > Configuration Item > Table Definition - Kubernetes > Pod > ServiceNow > Table - Kubernetes > Pod > ServiceNow > Table > Definition - Kubernetes > ReplicaSet > ServiceNow - Kubernetes > ReplicaSet > ServiceNow > Configuration Item - Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Record - Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Table Definition - Kubernetes > ReplicaSet > ServiceNow > Table - Kubernetes > ReplicaSet > ServiceNow > Table > Definition - Kubernetes > Service > ServiceNow - Kubernetes > Service > ServiceNow > Configuration Item - Kubernetes > Service > ServiceNow > Configuration Item > Record - Kubernetes > Service > ServiceNow > Configuration Item > Table Definition - Kubernetes > Service > ServiceNow > Table - Kubernetes > Service > ServiceNow > Table > Definition - ServiceNow > Turbot > Watches > Kubernetes _Action Types_ - ServiceNow > Turbot > Watches > Kubernetes Archive And Delete Record

osquery v5.0.0 is now available

Mon, 13 May 2024 09:00:00 GMT

_What's new?_ _Resource Types_ - osquery _Control Types_ - Turbot > Workspace > osquery - Turbot > Workspace > osquery > Secret Rotation _Policy Types_ - Turbot > Workspace > osquery - Turbot > Workspace > osquery > Enroll Secret Expiration - Turbot > Workspace > osquery > Secrets - Turbot > Workspace > osquery > Secrets > Expiration Period - Turbot > Workspace > osquery > Secrets > Rotation - osquery > Configuration _Action Types_ - Turbot > Rotate osquery Secret - osquery > Event Handler

kubernetes v5.0.0 is now available

Mon, 13 May 2024 09:00:00 GMT

_What's new?_ _Resource Types_ - Kubernetes - Kubernetes > Cluster - Kubernetes > ConfigMap - Kubernetes > Deployment - Kubernetes > Namespace - Kubernetes > Node - Kubernetes > Pod - Kubernetes > ReplicaSet - Kubernetes > Service _Control Types_ - Kubernetes > Cluster > CMDB - Kubernetes > ConfigMap > Annotations - Kubernetes > ConfigMap > Approved - Kubernetes > ConfigMap > CMDB - Kubernetes > ConfigMap > Labels - Kubernetes > ConfigMap > Query - Kubernetes > Deployment > Annotations - Kubernetes > Deployment > Approved - Kubernetes > Deployment > CMDB - Kubernetes > Deployment > Labels - Kubernetes > Deployment > Query - Kubernetes > Namespace > Annotations - Kubernetes > Namespace > Approved - Kubernetes > Namespace > CMDB - Kubernetes > Namespace > Labels - Kubernetes > Namespace > Query - Kubernetes > Node > Annotations - Kubernetes > Node > Approved - Kubernetes > Node > CMDB - Kubernetes > Node > Labels - Kubernetes > Node > Query - Kubernetes > Pod > Annotations - Kubernetes > Pod > Approved - Kubernetes > Pod > CMDB - Kubernetes > Pod > Labels - Kubernetes > Pod > Query - Kubernetes > ReplicaSet > Annotations - Kubernetes > ReplicaSet > Approved - Kubernetes > ReplicaSet > CMDB - Kubernetes > ReplicaSet > Labels - Kubernetes > ReplicaSet > Query - Kubernetes > Service > Annotations - Kubernetes > Service > Approved - Kubernetes > Service > CMDB - Kubernetes > Service > Labels - Kubernetes > Service > Query _Policy Types_ - Kubernetes > Cluster > CMDB - Kubernetes > ConfigMap > Annotations - Kubernetes > ConfigMap > Annotations > Template - Kubernetes > ConfigMap > Approved - Kubernetes > ConfigMap > Approved > Custom - Kubernetes > ConfigMap > CMDB - Kubernetes > ConfigMap > Labels - Kubernetes > ConfigMap > Labels > Template - Kubernetes > ConfigMap > osquery - Kubernetes > ConfigMap > osquery > Configuration - Kubernetes > ConfigMap > osquery > Configuration > Columns - Kubernetes > ConfigMap > osquery > Configuration > Interval - Kubernetes > ConfigMap > osquery > Configuration > Name - Kubernetes > Deployment > Annotations - Kubernetes > Deployment > Annotations > Template - Kubernetes > Deployment > Approved - Kubernetes > Deployment > Approved > Custom - Kubernetes > Deployment > CMDB - Kubernetes > Deployment > Labels - Kubernetes > Deployment > Labels > Template - Kubernetes > Deployment > osquery - Kubernetes > Deployment > osquery > Configuration - Kubernetes > Deployment > osquery > Configuration > Columns - Kubernetes > Deployment > osquery > Configuration > Interval - Kubernetes > Deployment > osquery > Configuration > Name - Kubernetes > Namespace > Annotations - Kubernetes > Namespace > Annotations > Template - Kubernetes > Namespace > Approved - Kubernetes > Namespace > Approved > Custom - Kubernetes > Namespace > CMDB - Kubernetes > Namespace > Labels - Kubernetes > Namespace > Labels > Template - Kubernetes > Namespace > osquery - Kubernetes > Namespace > osquery > Configuration - Kubernetes > Namespace > osquery > Configuration > Columns - Kubernetes > Namespace > osquery > Configuration > Interval - Kubernetes > Namespace > osquery > Configuration > Name - Kubernetes > Node > Annotations - Kubernetes > Node > Annotations > Template - Kubernetes > Node > Approved - Kubernetes > Node > Approved > Custom - Kubernetes > Node > CMDB - Kubernetes > Node > Labels - Kubernetes > Node > Labels > Template - Kubernetes > Node > osquery - Kubernetes > Node > osquery > Configuration - Kubernetes > Node > osquery > Configuration > Columns - Kubernetes > Node > osquery > Configuration > Interval - Kubernetes > Node > osquery > Configuration > Name - Kubernetes > Pod > Annotations - Kubernetes > Pod > Annotations > Template - Kubernetes > Pod > Approved - Kubernetes > Pod > Approved > Custom - Kubernetes > Pod > CMDB - Kubernetes > Pod > Labels - Kubernetes > Pod > Labels > Template - Kubernetes > Pod > osquery - Kubernetes > Pod > osquery > Configuration - Kubernetes > Pod > osquery > Configuration > Columns - Kubernetes > Pod > osquery > Configuration > Interval - Kubernetes > Pod > osquery > Configuration > Name - Kubernetes > ReplicaSet > Annotations - Kubernetes > ReplicaSet > Annotations > Template - Kubernetes > ReplicaSet > Approved - Kubernetes > ReplicaSet > Approved > Custom - Kubernetes > ReplicaSet > CMDB - Kubernetes > ReplicaSet > Labels - Kubernetes > ReplicaSet > Labels > Template - Kubernetes > ReplicaSet > osquery - Kubernetes > ReplicaSet > osquery > Configuration - Kubernetes > ReplicaSet > osquery > Configuration > Columns - Kubernetes > ReplicaSet > osquery > Configuration > Interval - Kubernetes > ReplicaSet > osquery > Configuration > Name - Kubernetes > Service > Annotations - Kubernetes > Service > Annotations > Template - Kubernetes > Service > Approved - Kubernetes > Service > Approved > Custom - Kubernetes > Service > CMDB - Kubernetes > Service > Labels - Kubernetes > Service > Labels > Template - Kubernetes > Service > osquery - Kubernetes > Service > osquery > Configuration - Kubernetes > Service > osquery > Configuration > Columns - Kubernetes > Service > osquery > Configuration > Interval - Kubernetes > Service > osquery > Configuration > Name - Kubernetes > osquery - Kubernetes > osquery > Decorators _Action Types_ - Kubernetes > ConfigMap > Router - Kubernetes > Deployment > Router - Kubernetes > Namespace > Router - Kubernetes > Node > Router - Kubernetes > Pod > Router - Kubernetes > ReplicaSet > Router - Kubernetes > Service > Router

gcp-iam v5.13.1 - Service Account Key Active control will no longer attempt to delete system-managed service account keys deemed inactive by the control

Mon, 13 May 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > IAM > Service Account Key > Active` control will no longer attempt to delete a system-managed service account key deemed inactive by the control.

aws-iam v5.36.0 - Determine if an IAM access key for a user is latest and take appropriate actions

Mon, 13 May 2024 09:00:00 GMT

_What's new?_ - You can now determine if an IAM access key for a user is latest and deactivate or delete any keys that are not, using Guardrails. To get started, set the `AWS > IAM > Access Key > Active > Latest` policy. - You can now determine if an IAM server certificate is active based on its expiration. To get started, set the `AWS > IAM > Server Certificate > Active > Expired` policy. _Policy Types_ - AWS > IAM > Access Key > Active > Latest - AWS > IAM > Server Certificate > Active > Expired

gcp v5.24.1 - The Project CMDB control would go into an error state if Access Approval API was disabled in GCP

Fri, 10 May 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Project > CMDB` control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.

Turbot Guardrails Enterprise Foundation (TEF) v1.58.0 - Enhanced Monitoring, Tagging, and Resource Management

Wed, 08 May 2024 09:00:00 GMT

_What's new?_ - Implemented SNS topic to handle critical alarms notifications. - Added Product, Vendor Tags to the IAM Role resources created by the TEF stack. - Introduced a new SSM parameter to manage the reserved concurrency settings for the osquery worker lambda function. - Updated Log Bucket Lifecycle Policies: - **Increased Retention Period:** Extended the retention period of the lifecycle policy for logs in the log bucket with the `/processes` prefix from 1 day to 2 days. - **New Policy Addition:** Implemented a new lifecycle policy for managing log retention in the log bucket for logs with the `/osquery` prefix.

Turbot Guardrails Enterprise Database (TED) v1.42.0 - Implementation of Critical Alarms for RDS and Redis ElastiCache Utilization Metrics

Wed, 08 May 2024 09:00:00 GMT

_What's new?_ - Implemented critical alarms for RDS DB CPU utilization, DB Max Connections and Redis ElastiCache Memory utilization. - Added Product, Vendor Tags to the IAM Role resources created by the TED stack.

azure-compute v5.16.1 - Virtual Machine Scale Set Tags control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace

Wed, 08 May 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Compute > Virtual Machine Scale Set > Tags` control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.

aws-vpc-security v5.10.0 - Revoke ingress rules that are unapproved for use in Network ACLs

Wed, 08 May 2024 09:00:00 GMT

_What's new?_ - Revoke ingress rules that are unapproved for use in Network ACLs. To get started, set the `AWS > VPC > Network ACL > Ingress Rules > Approved > *` policies.

aws-logs v5.12.2 - Minor fixes and improvements

Wed, 08 May 2024 09:00:00 GMT

_Bug fixes_ - Minor fixes and improvements.

aws-efs v5.8.0 - Delete existing Mount Targets which are unapproved for use in the account

Wed, 08 May 2024 09:00:00 GMT

_What's new?_ - You can now delete existing Mount Targets which are unapproved for use in the account. To get started, set the `AWS > EFS > Mount Target > Approved` policy to `Enforce: Delete unapproved`.

aws-cloudwatch v5.8.0 - Create and manage `aws_cloudwatch_metric_alarm` resources via Guardrails stacks

Wed, 08 May 2024 09:00:00 GMT

_What's new?_ - Create and manage `aws_cloudwatch_metric_alarm` resources via Guardrails stacks. _Control Types_ - AWS > CloudWatch > Alarm > Configured _Policy Types_ - AWS > CloudWatch > Alarm > Configured - AWS > CloudWatch > Alarm > Configured > Claim Precedence - AWS > CloudWatch > Alarm > Configured > Source

aws-securityhub v5.3.1 - Added support for `aws_securityhub_account` Terraform resource

Tue, 07 May 2024 09:00:00 GMT

_Bug fixes_ - Added support for `aws_securityhub_account` Terraform resource.

aws-eks v5.7.0 - Metadata for EKS resources will now also include `createdBy` details in Turbot CMDB

Tue, 07 May 2024 09:00:00 GMT

_What's new?_ - Resource's metadata will now also include `createdBy` details in Turbot CMDB.

aws-cisv3-0 v5.0.0 is now available

Mon, 06 May 2024 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > CIS v3.0 - AWS > CIS v3.0 > 1 - Identity and Access Management - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v3.0 > 2 - Storage - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' - AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) - AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance - AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) - AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v3.0 > 3 - Logging - AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled - AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket - AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket - AWS > CIS v3.0 > 4 - Monitoring - AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v3.0 > 5 - Networking - AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2 _Policy Types_ - AWS > CIS v3.0 - AWS > CIS v3.0 > 1 - Identity and Access Management - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation - AWS > CIS v3.0 > 1 - Identity and Access Management > Maximum Attestation Duration - AWS > CIS v3.0 > 2 - Storage - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation - AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' - AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) - AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance - AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) - AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v3.0 > 2 - Storage > Maximum Attestation Duration - AWS > CIS v3.0 > 3 - Logging - AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions - AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled - AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket - AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket - AWS > CIS v3.0 > 3 - Logging > Maximum Attestation Duration - AWS > CIS v3.0 > 4 - Monitoring - AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v3.0 > 4 - Monitoring > Maximum Attestation Duration - AWS > CIS v3.0 > 5 - Networking - AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation - AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2 - AWS > CIS v3.0 > 5 - Networking > Maximum Attestation Duration - AWS > CIS v3.0 > Maximum Attestation Duration

Turbot Guardrails Enterprise (TE) v5.42.26 - Minor internal improvements

Fri, 03 May 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-dns v5.7.0 - Track and manage DNS Policies in Guardrails

Fri, 03 May 2024 09:00:00 GMT

_What's new?_ - Resource Types: - GCP > DNS > Policy - Control Types: - GCP > DNS > Policy > Active - GCP > DNS > Policy > Approved - GCP > DNS > Policy > CMDB - GCP > DNS > Policy > Discovery - GCP > DNS > Policy > Usage - Policy Types: - GCP > DNS > Policy > Active - GCP > DNS > Policy > Active > Age - GCP > DNS > Policy > Active > Last Modified - GCP > DNS > Policy > Approved - GCP > DNS > Policy > Approved > Custom - GCP > DNS > Policy > Approved > Usage - GCP > DNS > Policy > CMDB - GCP > DNS > Policy > Usage - GCP > DNS > Policy > Usage > Limit - Action Types: - GCP > DNS > Policy > Delete - GCP > DNS > Policy > Router

gcp-cisv2-0 v5.0.0 is now available

Fri, 03 May 2024 09:00:00 GMT

_What's new?_ _Control Types_ - GCP > CIS v2.0 - GCP > CIS v2.0 > 1 - Identity and Access Management - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - GCP > CIS v2.0 > 2 - Logging and Monitoring - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled' - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer - GCP > CIS v2.0 > 3 - Networking - GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project - GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects - GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS - GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC - GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC - GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet - GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet - GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites - GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' - GCP > CIS v2.0 > 4 - Virtual Machines - GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account - GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs - GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances - GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project - GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances - GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) - GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled - GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses - GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections - GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled - GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - GCP > CIS v2.0 > 5 - Storage - GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible - GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - GCP > CIS v2.0 > 6 - Cloud SQL Database Services - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - GCP > CIS v2.0 > 7 - BigQuery - GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets _Policy Types_ - GCP > CIS v2.0 - GCP > CIS v2.0 > 1 - Identity and Access Management - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation - GCP > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration - GCP > CIS v2.0 > 2 - Logging and Monitoring - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled' - GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer - GCP > CIS v2.0 > 2 - Logging and Monitoring > Maximum Attestation Duration - GCP > CIS v2.0 > 3 - Networking - GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project - GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects - GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS - GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC - GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC - GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet - GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet - GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites - GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' - GCP > CIS v2.0 > 4 - Virtual Machines - GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account - GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs - GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances - GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project - GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances - GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) - GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled - GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses - GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections - GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation - GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled - GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation - GCP > CIS v2.0 > 4 - Virtual Machines > Maximum Attestation Duration - GCP > CIS v2.0 > 5 - Storage - GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible - GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled - GCP > CIS v2.0 > 6 - Cloud SQL Database Services - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - GCP > CIS v2.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration - GCP > CIS v2.0 > 7 - BigQuery - GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets - GCP > CIS v2.0 > Maximum Attestation Duration

aws-cisv2-0 v5.0.1 - Minor fixes and improvements

Fri, 03 May 2024 09:00:00 GMT

_Bug fixes_ - Minor fixes and improvements.

gcp v5.24.0 - Access approval setting details for projects is now be available in Project CMDB

Thu, 02 May 2024 09:00:00 GMT

_What's new?_ - Access approval setting details for projects is now be available in Project CMDB.

Turbot Guardrails Enterprise (TE) v5.42.25 - Minor internal improvements

Tue, 30 Apr 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-postgresql v5.15.1 - Action Type for Firewall > IP Ranges > Approved control did not render correctly for Flexi Servers on mod inspect

Mon, 29 Apr 2024 09:00:00 GMT

_Bug fixes_ - Action Type for `Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved` control did not render correctly on mod inspect. This is now fixed.

Turbot Guardrails Enterprise (TE) v5.42.24 - Minor internal improvements

Fri, 26 Apr 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

azure-storage v5.17.1 - Storage Account Data Protection control would go into an error state when container delete retention policy data was not available in CMDB

Fri, 26 Apr 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Storage > Storage Account > Data Protection` control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.

azure-postgresql v5.15.0 - Remove unapproved firewall IP Ranges on PostgreSQL servers and flexi servers

Fri, 26 Apr 2024 09:00:00 GMT

_What's new?_ - You can now removed unapproved Firewall IP Ranges on PostgreSQL servers and flexi servers. To get started, set the `Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > *` and `Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > *` policies respectively. - You can now stop unapproved flexi servers. To get started, set the `Azure > PostgreSQL > Flexible Server > Approved` policy to `Enforce: Stop unapproved` or `Enforce: Stop unapproved if new`. _Control Types_ - Azure > PostgreSQL > Flexible Server > Firewall - Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges - Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved - Azure > PostgreSQL > Server > Firewall - Azure > PostgreSQL > Server > Firewall > IP Ranges - Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved _Policy Types_ - Azure > PostgreSQL > Flexible Server > Firewall - Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges - Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved - Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Compiled Rules - Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > IP Addresses - Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Rules - Azure > PostgreSQL > Server > Firewall - Azure > PostgreSQL > Server > Firewall > IP Ranges - Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved - Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Compiled Rules - Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > IP Addresses - Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Rules _Action Types_ - Azure > PostgreSQL > Flexible Server > Stop - Azure > PostgreSQL > Server > Update Firewall IP Ranges

cis v5.0.1 - Fixed control category names for v7.2.10, v7.7.10 and v7.14.1

Wed, 24 Apr 2024 09:00:00 GMT

_Bug fixes_ - Fixed control category names for v7.2.10, v7.7.10 and v7.14.1.

azure-cisv2-0 v5.0.0 is now available

Wed, 24 Apr 2024 09:00:00 GMT

_What's new?_ _Control Types_ - Azure > CIS v2.0 - Azure > CIS v2.0 > 01 - Identity and Access Management - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure `User consent for applications` is set to `Do not allow user consent` - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' - Azure > CIS v2.0 > 02 - Microsoft Defender - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring - Azure > CIS v2.0 > 03 - Storage Accounts - Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled' - Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that `Enable Infrastructure Encryption` for Each Storage Account in Azure Storage is Set to `enabled` - Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated - Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour - Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny - Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys - Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Azure > CIS v2.0 > 04 - Database Services - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On' - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days' - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible - Azure > CIS v2.0 > 05 - Logging and Monitoring - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Azure > CIS v2.0 > 06 - Networking - Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled' - Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis - Azure > CIS v2.0 > 07 - Virtual Machines - Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks - Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed - Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed - Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted - Azure > CIS v2.0 > 08 - Key Vault - Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable - Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault - Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault - Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services - Azure > CIS v2.0 > 09 - Application Services - Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service - Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption - Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' - Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service - Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled - Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets - Azure > CIS v2.0 > 10 - Miscellaneous - Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources _Policy Types_ - Azure > CIS v2.0 - Azure > CIS v2.0 > 01 - Identity and Access Management - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure `User consent for applications` is set to `Do not allow user consent` - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure `User consent for applications` is set to `Do not allow user consent` > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' > Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration - Azure > CIS v2.0 > 02 - Microsoft Defender - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' > Attestation - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' > Attestation - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation - Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring - Azure > CIS v2.0 > 02 - Microsoft Defender > Maximum Attestation Duration - Azure > CIS v2.0 > 03 - Storage Accounts - Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled' - Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that `Enable Infrastructure Encryption` for Each Storage Account in Azure Storage is Set to `enabled` - Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account - Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation - Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated - Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation - Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour - Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation - Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny - Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts - Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage - Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys - Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests - Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Azure > CIS v2.0 > 03 - Storage Accounts > Maximum Attestation Duration - Azure > CIS v2.0 > 04 - Database Services - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On' - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database - Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days' - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server - Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible - Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation - Azure > CIS v2.0 > 04 - Database Services > Maximum Attestation Duration - Azure > CIS v2.0 > 05 - Logging and Monitoring - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled' - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation - Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Azure > CIS v2.0 > 05 - Logging and Monitoring > Maximum Attestation Duration - Azure > CIS v2.0 > 06 - Networking - Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted - Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled' - Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis - Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation - Azure > CIS v2.0 > 06 - Networking > Maximum Attestation Duration - Azure > CIS v2.0 > 07 - Virtual Machines - Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks - Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed - Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed > Attestation - Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed - Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation - Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted - Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted > Attestation - Azure > CIS v2.0 > 07 - Virtual Machines > Maximum Attestation Duration - Azure > CIS v2.0 > 08 - Key Vault - Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults - Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable - Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault - Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault - Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services - Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation - Azure > CIS v2.0 > 08 - Key Vault > Maximum Attestation Duration - Azure > CIS v2.0 > 09 - Application Services - Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service - Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption - Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' - Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service - Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App > Attestation - Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App > Attestation - Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App > Attestation - Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App - Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled - Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets - Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation - Azure > CIS v2.0 > 09 - Application Services > Maximum Attestation Duration - Azure > CIS v2.0 > 10 - Miscellaneous - Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources - Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation - Azure > CIS v2.0 > 10 - Miscellaneous > Maximum Attestation Duration - Azure > CIS v2.0 > Maximum Attestation Duration

Turbot Guardrails Enterprise (TE) v5.42.23 - Refined management of various processes to improve stability and reduce backlog issues

Tue, 23 Apr 2024 09:00:00 GMT

_What's new?_ - Server - Implemented monitoring for `worker_factory` in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog". - Established a CloudWatch Alarm for the `_worker_factory` queue. - Product, Vendor Tags to the IAM Role resources created by the TE stack. - Adjusted the threshold for the CloudWatch Alarm monitoring the `_worker` queue. _Bug fixes_ - Server - Now, users with only Turbot/User access will no longer see grants or active grants belonging to other users. This ensures that you only view grants that are relevant to your permissions. - Control will move to error if it fails to determine the state at precheck. - System resilience has been enhanced through extended TTL settings and refined management of suspended processes, aiming to improve stability and reduce backlog issues. - Refined management of various processes to improve stability and reduce backlog issues. - UI - Converted the `template_input` property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot v5.43.1 - Process Monitor control will now run in priority queue

Tue, 23 Apr 2024 09:00:00 GMT

_What's new?_ - Moved the `Turbot > Process Monitor` control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks. - Updated the `Turbot > Workspace > Background Tasks` control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.

azure-cosmosdb v5.5.1 - Minor fixes and improvements

Tue, 23 Apr 2024 09:00:00 GMT

_Bug fixes_ - Minor fixes and improvements.

azure-storage v5.17.0 - Configure rotation reminders for access keys and soft delete for blobs and containers in storage accounts

Mon, 22 Apr 2024 09:00:00 GMT

_What's new?_ - You can now configure rotation reminders for access keys and soft delete for blobs and containers in storage accounts. To get started, set the `Azure > Storage > Storage Account > Access Keys > Rotation Reminder > *` and `Azure > Storage > Storage Account > Data Protection > Soft Delete > *` policies respectively. _Control Types_ - Azure > Storage > Storage Account > Access Keys - Azure > Storage > Storage Account > Access Keys > Rotation Reminder - Azure > Storage > Storage Account > Data Protection - Azure > Storage > Storage Account > Data Protection > Soft Delete _Policy Types_ - Azure > Storage > Storage Account > Access Keys - Azure > Storage > Storage Account > Access Keys > Rotation Reminder - Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days - Azure > Storage > Storage Account > Data Protection - Azure > Storage > Storage Account > Data Protection > Soft Delete - Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs - Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days - Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers - Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days _Action Types_ - Azure > Storage > Storage Account > Set Data Protection Soft Delete - Azure > Storage > Storage Account > Update Rotation Reminder

azure-sql v5.14.0 - Remove unapproved firewall IP Ranges on SQL servers

Mon, 22 Apr 2024 09:00:00 GMT

_What's new?_ - You can now removed unapproved Firewall IP Ranges on SQL servers. To get started, set the `Azure > SQL > Server > Firewall > IP Ranges > Approved > *` policies. _Control Types_ - Azure > SQL > Server > Firewall - Azure > SQL > Server > Firewall > IP Ranges - Azure > SQL > Server > Firewall > IP Ranges > Approved _Policy Types_ - Azure > SQL > Server > Firewall - Azure > SQL > Server > Firewall > IP Ranges - Azure > SQL > Server > Firewall > IP Ranges > Approved - Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules - Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses - Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules _Action Types_ - Azure > SQL > Server > Update Firewall IP Ranges

gcp-kms v5.8.2 - Bug fixed - Rotation policy attributes for Crypto Keys did not update correctly in CMDB when the rotation policy was removed from such keys

Fri, 19 Apr 2024 09:00:00 GMT

_Bug fixes_ - The `rotationPeriod` and `nextRotationTime` attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.

azure-mysql v5.10.0 - Configure Encryption in Transit for Flexi Servers

Fri, 19 Apr 2024 09:00:00 GMT

_What's new?_ - You can now configure Encryption in Transit for Flexi Servers. To get started, set the `Azure > MySQL > Flexible Server > Encryption in Transit > *` policies. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. _Control Types_ - Azure > MySQL > Flexible Server > Encryption in Transit _Policy Types_ - Azure > MySQL > Flexible Server > Encryption in Transit _Action Types_ - Azure > MySQL > Flexible Server > Update Encryption in Transit

azure-appservice v5.9.0 - Lambda runtimes now powered by Node 18

Fri, 19 Apr 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. _Policy Types_ - Azure > App Service > App Service Plan > Approved > Custom - Azure > App Service > Function App > Approved > Custom - Azure > App Service > Web App > Approved > Custom

aws-vpc-security v5.9.8 - Bug fixed - Configured control for flow logs would sometimes go into an error state for flow logs claimed by a Guardrails stack

Fri, 19 Apr 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > Flow Log > Configured` control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.

azure-postgresql v5.14.0 - Configure log checkpoints for Flexi Servers

Wed, 17 Apr 2024 09:00:00 GMT

_What's new?_ - You can now configure log checkpoints for Flexi Servers. To get started, set the `Azure > PostgreSQL > Flexible Server > Audit Logging > *` policies. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. _Control Types_ - Azure > PostgreSQL > Flexible Server > Audit Logging _Policy Types_ - Azure > PostgreSQL > Flexible Server > Audit Logging - Azure > PostgreSQL > Flexible Server > Audit Logging > Log Checkpoints _Action Types_ - Azure > PostgreSQL > Flexible Server > Update Audit Logging

azure-keyvault v5.13.0 - Configure expiration for Key Vault Keys and Secrets

Wed, 17 Apr 2024 09:00:00 GMT

_What's new?_ - You can now configure expiration for Key Vault Keys and Secrets. To get started, set the `Azure > Key Vault > Key > Expiration > *` and `Azure > Key Vault > Secret > Expiration > *` policies respectively. _Control Types_ - Azure > Key Vault > Key > Expiration - Azure > Key Vault > Secret > Expiration _Policy Types_ - Azure > Key Vault > Key > Expiration - Azure > Key Vault > Key > Expiration > Days [Default] - Azure > Key Vault > Secret > Expiration - Azure > Key Vault > Secret > Expiration > Days [Default] _Action Types_ - Azure > Key Vault > Key > Set Expiration - Azure > Key Vault > Secret > Set Expiration

aws-directconnect v5.4.0 - Lambda runtimes now powered by Node 18

Wed, 17 Apr 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

aws-xray v5.4.0 - Lambda runtimes now powered by Node 18

Tue, 16 Apr 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

azure-storage v5.16.1 - Storage Account Queue Logging control would go into a skipped state for storage accounts, irrespective of any policy setting

Fri, 12 Apr 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Storage > Storage Account > Queue > Logging` control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.

azure-network v5.16.0 - Delete existing Public IP Addresses which are unapproved for use in the Subscription

Thu, 11 Apr 2024 09:00:00 GMT

_What's new?_ - You can now delete existing Public IP Addresses which are unapproved for use in the Subscription. To get started, set the `Azure > Network > Public IP Address > Approved` policy to `Enforce: Delete unapproved`.

turbot-iam v5.12.2 - The Account compiled policy now correctly checks the workspace version

Wed, 10 Apr 2024 09:00:00 GMT

_Bug fixes_ - The `Turbot > IAM > Permissions > Compiled > Levels > Account` policy now correctly checks the workspace version if it's installed on a workspace version < 5.50.0.

azure-postgresql v5.13.0 - Configure Encryption in Transit for Flexi Servers

Wed, 10 Apr 2024 09:00:00 GMT

_What's new?_ - You can now configure Encryption in Transit for Flexi Servers. To get started, set the `Azure > PostgresSql > Flexible Server > Encryption in Transit > *` policies. _Control Types_ - Azure > PostgreSQL > Flexible Server > Encryption in Transit _Policy Types_ - Azure > PostgreSQL > Flexible Server > Encryption in Transit _Action Types_ - Azure > PostgreSQL > Flexible Server > Update Encryption in Transit

azure-activedirectory v5.5.0 - Delete existing Entra ID users which are unapproved to be used in the Tenant

Tue, 09 Apr 2024 09:00:00 GMT

_What's new?_ - You can now delete existing Entra ID users which are unapproved to be used in the Tenant. To get started, set the `Azure > Active Directory > User > Approved` policy to `Enforce: Delete unapproved`. _Policy Types_ - Azure > Active Directory > User > Approved > Custom

azure-mysql v5.9.0 - Configure TLS version for Flexi Servers

Mon, 08 Apr 2024 09:00:00 GMT

_What's new?_ - You can now configure TLS version for Flexi Servers. To get started, set the `Azure > MySQL > Flexible Server > Minimum TLS Version > *` policies.

turbot-iam v5.12.1 - Removed `Account/User` and `Account/Metadata` levels from the default Account > Permission policy

Fri, 05 Apr 2024 09:00:00 GMT

_Bug fixes_ - Removed `Account/User` and `Account/Metadata` levels from the default Account > Permission policy

Turbot Guardrails Enterprise Database (TED) v1.41.0 - Added support for Postgres versions 11.21 and 11.22

Fri, 05 Apr 2024 09:00:00 GMT

_What's new?_ - Added: Support for Postgres versions 11.21 and 11.22.

aws v5.30.0 - Account CMDB data will now also include alternate security contact details

Fri, 05 Apr 2024 09:00:00 GMT

_What's new?_ - Account CMDB data will now also include alternate security contact details.

aws-cisv2-0 v5.0.0 is now available

Fri, 05 Apr 2024 09:00:00 GMT

_What's new?_ _Control Types_ - AWS > CIS v2.0 - AWS > CIS v2.0 > 1 - Identity and Access Management - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v2.0 > 2 - Storage - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' - AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) - AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance - AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) - AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v2.0 > 3 - Logging - AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible - AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs - AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions - AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled - AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket - AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket - AWS > CIS v2.0 > 4 - Monitoring - AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v2.0 > 5 - Networking - AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2 _Policy Types_ - AWS > CIS v2.0 - AWS > CIS v2.0 > 1 - Identity and Access Management - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "_:_" administrative privileges are not attached - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted - AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation - AWS > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration - AWS > CIS v2.0 > 2 - Storage - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation - AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' - AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) - AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance - AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) - AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems - AWS > CIS v2.0 > 2 - Storage > Maximum Attestation Duration - AWS > CIS v2.0 > 3 - Logging - AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions - AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled - AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible - AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs - AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions - AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs - AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled - AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs - AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket - AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket - AWS > CIS v2.0 > 3 - Logging > Maximum Attestation Duration - AWS > CIS v2.0 > 4 - Monitoring - AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored - AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled - AWS > CIS v2.0 > 4 - Monitoring > Maximum Attestation Duration - AWS > CIS v2.0 > 5 - Networking - AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports - AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic - AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' - AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation - AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2 - AWS > CIS v2.0 > 5 - Networking > Maximum Attestation Duration - AWS > CIS v2.0 > Maximum Attestation Duration

gcp-sql v5.8.1 - Bug Fixed - SQL Instances were not updated/cleaned up correctly via real-time events in Guardrails

Thu, 04 Apr 2024 09:00:00 GMT

_Bug fixes_ - SQL Instances were sometimes not updated/cleaned up correctly via real-time events in Guardrails. This is now fixed.

aws-ec2 v5.40.0 - Manage IMDS defaults for EC2 via the Account Attributes > Instance Metadata Service Defaults control

Tue, 02 Apr 2024 09:00:00 GMT

_What's new?_ - You can now manage IMDS defaults for EC2 per region. To get started, set the `AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > *` policies. _Bug fixes_ - The `AWS > EC2 > Instance > Approved` control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the `AWS > EC2 > Instance > Approved` policy was set to `Enforce: Stop unapproved if new`. This is now fixed.

azure-storage v5.16.0 - Blob service property details will now be available in CMDB for Storage Accounts

Mon, 01 Apr 2024 09:00:00 GMT

_What's new?_ - Storage Account CMDB data will now also include details about the account's blob service properties.

azure-postgresql v5.12.0 - Configure connection_throttling parameter for PostgreSQL servers

Mon, 01 Apr 2024 09:00:00 GMT

_What's new?_ - You can now configure `connection_throttling` parameter for PostgreSQL servers. To get started, set the `Azure > PostgreSQL > Server > Audit Logging > Connection Throttling` policy.

azure-mysql v5.8.0 - TLS version and audit log details will now be available in CMDB for Flexi Servers

Mon, 01 Apr 2024 09:00:00 GMT

_What's new?_ - TLS version and audit log details will now be available in CMDB for Flexi Servers.

aws-kms v5.18.0 - Disable unapproved Keys via the Key > Approved control

Fri, 29 Mar 2024 09:00:00 GMT

_What's new?_ - Users can now disable unapproved Keys in AWS. To get started, set the `AWS > KMS > Key > Approved` policy to `Enforce: Disable unapproved`.

aws-sns v5.15.3 - Bug Fixed - EventBridge Rule for real-time SNS events, created by Event Handlers, will now respect `Enforce: Enabled but ignore permission errors` policy value for Subscription CMDB

Wed, 27 Mar 2024 09:00:00 GMT

_Bug fixes_ - In v5.15.1, we introduced the policy value `Enforce: Enabled but ignore permission errors` for the `AWS > SNS > Subscription > CMDB` policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to `Enforce: Enabled but ignore permission errors` inadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.

aws-kms v5.17.1 - Bug Fixed - EventBridge Rule for real-time KMS events, created by Event Handlers, will now respect `Enforce: Enabled but ignore permission errors` policy value for Key CMDB

Wed, 27 Mar 2024 09:00:00 GMT

_Bug fixes_ - In v5.13.0, we introduced the policy value `Enforce: Enabled but ignore permission errors` for the `AWS > KMS > Key > CMDB` policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to `Enforce: Enabled but ignore permission errors` inadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.

Turbot Guardrails Enterprise (TE) v5.42.22 - Minor internal improvements

Tue, 19 Mar 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-ecr v5.13.0 - You can now configure IAM resource policies on repositories

Tue, 19 Mar 2024 09:00:00 GMT

_What's new?_ - Control Types: - AWS > ECR > Repository > Policy - AWS > ECR > Repository > Policy > Required - Policy Types: - AWS > ECR > Repository > Policy - AWS > ECR > Repository > Policy > Required - AWS > ECR > Repository > Policy > Required > Items - Action Types: - AWS > ECR > Repository > Update Repository policy

Turbot Guardrails Enterprise (TE) v5.42.21 - Account import will be smoother and more consistent than before

Mon, 18 Mar 2024 09:00:00 GMT

_Bug fixes_ - Server - Account import will be smoother and more consistent than before. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-vpc-connect v5.9.1 - Bug fixed - Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account

Mon, 18 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account. - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed.

aws-vpc-security v5.9.7 - `AWS > VPC > VPC > Stack` control failed to claim security group rules correctly if the `protocol` for such rules was set to `All` or `TCP` in the stack's source policy

Fri, 15 Mar 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > VPC > Stack` control failed to claim security group rules correctly if the `protocol` for such rules was set to `All` or `TCP` in the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.

aws v5.29.4 - Various policy definitions have been updated to allow for a smoother account import experience

Fri, 15 Mar 2024 09:00:00 GMT

_Bug fixes_ - We have updated various policy definitions set during account imports to allow for a smoother account import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.

Turbot Guardrails Enterprise (TE) v5.42.20 - Bug Fixed - AWS login dropdown button to accurately display both existing and new grants

Wed, 13 Mar 2024 09:00:00 GMT

_Bug fixes_ - UI - Fixed the AWS login dropdown button to accurately display both existing and new grants. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

aws-sagemaker v5.10.0 - Bug fixed - Unsupported US Gov cloud regions for Code Repository are now removed from the Regions policy

Wed, 13 Mar 2024 09:00:00 GMT

_Bug fixes_ - Unsupported US Gov cloud regions were inadvertently included in the `AWS > SageMaker > Code Repository > Regions` policy, which led to the `AWS > SageMaker > Code Repository > Discovery` control being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy. _What's new?_ - Policy Types: - AWS > SageMaker > Notebook Instance > Approved > Custom

aws-iam v5.35.1 - Bug fixed - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`

Wed, 13 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed.

aws-vpc-security v5.9.6 - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`

Mon, 11 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed. - In the previous version, we fixed an issue with the `AWS > VPC > VPC > Stack` control that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.

aws-sns v5.15.2 - Bug fixed - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`

Mon, 11 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed.

gcp-storage v5.11.1 - Bug fixed - Guardrails unnecessarily listened to and processed real-time `lists` events for various storage resources

Fri, 08 Mar 2024 09:00:00 GMT

_Bug fixes_ - Previously, Guardrails unnecessarily listened to and processed real-time `lists` events for various storage resources. We've now improved our events filter to ignore these `lists` events, thereby reducing unnecessary processing.

aws-lambda v5.13.3 - Bug fixed - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`

Fri, 08 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed.

aws-glue v5.11.1 - Bug fixed - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`

Fri, 08 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed.

aws-ec2 v5.39.2 - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`

Fri, 08 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed. - The `AWS > EC2 > Snapshot > Active` and `AWS > EC2 > Snapshot > Approved` controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it. - In the previous version, although we fixed a bug to prevent upserting volumes and snapshots with incorrect AKAs, there was still a provision for instances to be upserted with incorrect AKAs. We have now addressed this issue as well, ensuring instances are upserted more correctly and consistently than before. - The deprecated `ec2-reports:*` permissions are now removed from the mod.

aws-vpc-internet v5.11.2 - Bug fixed - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`

Thu, 07 Mar 2024 09:00:00 GMT

_Bug fixes_ - Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account. - In the previous version, we believed we had resolved an issue with Internet Gateways not being upserted into the CMDB while processing real-time `CreateDefaultVpc` events. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating the `aws-vpc-core` mod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways. - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to `Enforce: Disabled`. This is now fixed.

aws-vpc-security v5.9.5 - Bug fixed - The `AWS > VPC > VPC > Stack` control would sometimes go into an error state after creating security group rules with port range set to 0

Wed, 06 Mar 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > VPC > Stack` control would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected. - The `AWS > VPC > Security Group > CMDB` control would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.

aws-iam v5.35.0 - You can now also manage the IAM Permissions model for Guardrails Users via AWS > Turbot > IAM > Managed control

Wed, 06 Mar 2024 09:00:00 GMT

_What's new?_ - You can now also manage the IAM Permissions model for Guardrails Users via the `AWS > Turbot > IAM > Managed` control. The `AWS > Turbot > IAM > Managed` control is faster and more efficient than the existing `AWS > Turbot > IAM` control because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher and `turbot-iam` mod v5.11.0 or higher. - Control Types - AWS > Turbot > IAM > Group - AWS > Turbot > IAM > Group > Managed - AWS > Turbot > IAM > Managed - AWS > Turbot > IAM > Policy - AWS > Turbot > IAM > Policy > Managed - AWS > Turbot > IAM > Role - AWS > Turbot > IAM > Role > Managed - AWS > Turbot > IAM > User - AWS > Turbot > IAM > User > Managed - Policy Types - AWS > Turbot > IAM > Managed - Policy Types Renamed - AWS > IAM > Turbot to AWS > Turbot > IAM - Action Types - AWS > Account > Provision Managed Resources - AWS > IAM > Group > Detach and delete - AWS > IAM > Group > IAM Group Managed - AWS > IAM > Policy > Detach and delete - AWS > IAM > Role > IAM Role Managed - AWS > IAM > User > IAM User Managed _Bug fixes_ The `AWS > IAM > Group > CMDB`, `AWS > IAM > Role > CMDB`, and `AWS > IAM > User > CMDB` controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.

Turbot Guardrails Enterprise (TE) v5.42.19 - Delete operations for resources is now faster and more efficient than before

Tue, 05 Mar 2024 09:00:00 GMT

_Bug fixes_ - Server - Updated the tier for the SSM parameter `/tenant/${workspaceFullId}` to `Advanced`. - Delete operations for resources is now faster and more efficient than before. - Auto mod update control for mods will now look only for recommended versions instead of available and recommended. - Fixed policy value resolution to default to the value of `resolvedSchema` if not available in the schema. - UI - Fixed a table typo in the Steampipe query used in the resources developer tab. - Display the AWS login button when setting permissions via the `AWS > Turbot > IAM > Managed` control. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot-iam v5.11.1 - The default value for `Turbot > IAM > Permissions > Compiled > Levels > Turbot` policy will now be evaluated correctly and consistently

Tue, 05 Mar 2024 09:00:00 GMT

_Bug fixes_ - The default value for `Turbot > IAM > Permissions > Compiled > Levels > Turbot` policy will now be evaluated correctly and consistently.

aws-ssm v5.15.1 - Bug fixed - SSM Parameters with incorrect names would sometimes be inadvertently upserted in Guardrails CMDB

Tue, 05 Mar 2024 09:00:00 GMT

_Bug fixes_ - SSM Parameters with incorrect names would sometimes be inadvertently upserted in Guardrails CMDB. This issue has now been fixed.

aws-s3 v5.24.0 - Bucket CMDB data will now also include information about Bucket Intelligent Tiering Configuration

Tue, 05 Mar 2024 09:00:00 GMT

_What's new?_ - The `AWS > S3 > Bucket` CMDB data will now also include information about Bucket Intelligent Tiering Configuration. - A few policy values in the `AWS > S3 > Bucket > Encyprion at Rest` policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS. | Deprecated Values |- | Check: None | Check: None or higher | Enforce: None | Enforce: None or higher

aws-vpc-internet v5.11.1 - Bug fixed - Guardrails will now upsert Internet Gateways into CMDB correctly while processing real-time `CreateDefaultVpc` events

Mon, 04 Mar 2024 09:00:00 GMT

_Bug fixes_ - Previously, Guardrails did not upsert Internet Gateways into the CMDB while processing real-time `CreateDefaultVpc` events. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB. We recommend updating the `aws-vpc-core` mod to v5.17.1 or higher to allow Guardrails to process the `CreateDefaultVpc` event for Internet Gateways correctly.

aws-vpc-core v5.17.1 - Bug fixed - Guardrails will now upsert DHCP Options into CMDB correctly while processing real-time `CreateDefaultVpc` events

Mon, 04 Mar 2024 09:00:00 GMT

_Bug fixes_ - Previously, Guardrails did not upsert DHCP Options into the CMDB while processing real-time `CreateDefaultVpc` events. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.

gcp-dataproc v5.8.1 - Bug fixed - Improved filters for real-time Dataproc lists events to reduce unnecessary processing

Sat, 02 Mar 2024 09:00:00 GMT

_Bug fixes_ - Previously, Guardrails unnecessarily listened to and processed real-time `lists` events for various Dataproc resources. We've now improved our events filter to ignore these `lists` events, thereby reducing unnecessary processing.

gcp v5.23.4 - Bug fixed - The Event Handlers > Pub/Sub stack control will now transition to an Invalid state until Guardrails can correctly fetch the project number

Thu, 29 Feb 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Turbot > Event Handlers > Pub/Sub` stack control previously attempted to create a topic and its IAM member incorrectly when the `GCP > Turbot > Event Handlers > Logging > Unique Writer Identity` policy was set to `Enforce: Unique Identity`, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.

gcp-pubsub v5.9.0 - You can now manage labels for Pub/Sub Topics via Guardrails

Wed, 28 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Pub/Sub > Topic > Labels - Policy Types: - GCP > Pub/Sub > Topic > Labels - GCP > Pub/Sub > Topic > Labels > Template - Action Types - GCP > Pub/Sub > Topic > Set Labels

aws-s3 v5.23.1 - Bug fixed - Encryption in Transit and Encryption at Rest controls will now wait for a few minutes before applying their respective enforcements

Wed, 28 Feb 2024 09:00:00 GMT

_Bug fixes_ - In a previous version (v5.6.2), we introduced a change in the `AWS > S3 > Bucket > Encryption in Transit` and `AWS > S3 > Bucket > Encryption at Rest` control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.

Turbot Guardrails Enterprise Foundation (TEF) v1.57.0 - Added support for Advanced Tier for SSM Parameters

Tue, 27 Feb 2024 09:00:00 GMT

_What's new?_ - Added support for Advanced Tier for SSM Parameters. - Increased the visibility timeout from 60 seconds to 7200 seconds and decreased the message retention period to 7 days for runnable DLQ.

Turbot Guardrails Enterprise Database (TED) v1.40.0 - Added support for Postgres versions 15.5 and Redis 7.1

Tue, 27 Feb 2024 09:00:00 GMT

_What's new?_ - Added: Support for Postgres versions 14.9, 14.10, 15.4 and 15.5. - Added: Support for Redis 7.1. - Added: m6gd.medium to instance type parameter for RDS. - Added: Support for Advanced Tier for SSM Parameters. - Removed: t4.micro and t4.small from instance type parameter for RDS. _Note_ To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the `RDS CA Certificate for Commercial Cloud` parameter.

Turbot Guardrails Enterprise (TE) v5.42.18 - Added support for AWS Custom Group Levels

Tue, 27 Feb 2024 09:00:00 GMT

_Bug fixes_ - Server - Added: Support for AWS Custom Group Levels. - Updated: The DLQ lambda timeout has been updated to 2 minutes instead of 1 minute. - Updated: The Events DLQ visibility timeout has been increased from 15 minutes to 4 hours. - Updated: The Events DLQ MessageRetentionPeriod has been decreased from 14 days to 7 days. - UI - Added: Action button to run immediate policy value. _Requirements_ - TEF: 1.57.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

turbot-iam v5.11.0 - Added support for group permission levels

Tue, 27 Feb 2024 09:00:00 GMT

_What's new?_ - Added support for group permission levels.

servicenow-gcp-firebase v5.0.0 is now available

Tue, 27 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Firebase > Android App > ServiceNow - GCP > Firebase > Android App > ServiceNow > Configuration Item - GCP > Firebase > Android App > ServiceNow > Table - GCP > Firebase > Firebase Project > ServiceNow - GCP > Firebase > Firebase Project > ServiceNow > Configuration Item - GCP > Firebase > Firebase Project > ServiceNow > Table - GCP > Firebase > Web App > ServiceNow - GCP > Firebase > Web App > ServiceNow > Configuration Item - GCP > Firebase > Web App > ServiceNow > Table - GCP > Firebase > iOS App > ServiceNow - GCP > Firebase > iOS App > ServiceNow > Configuration Item - GCP > Firebase > iOS App > ServiceNow > Table - Policy Types: - GCP > Firebase > Android App > ServiceNow - GCP > Firebase > Android App > ServiceNow > Configuration Item - GCP > Firebase > Android App > ServiceNow > Configuration Item > Record - GCP > Firebase > Android App > ServiceNow > Configuration Item > Table Definition - GCP > Firebase > Android App > ServiceNow > Table - GCP > Firebase > Android App > ServiceNow > Table > Definition - GCP > Firebase > Firebase Project > ServiceNow - GCP > Firebase > Firebase Project > ServiceNow > Configuration Item - GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Record - GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Table Definition - GCP > Firebase > Firebase Project > ServiceNow > Table - GCP > Firebase > Firebase Project > ServiceNow > Table > Definition - GCP > Firebase > Web App > ServiceNow - GCP > Firebase > Web App > ServiceNow > Configuration Item - GCP > Firebase > Web App > ServiceNow > Configuration Item > Record - GCP > Firebase > Web App > ServiceNow > Configuration Item > Table Definition - GCP > Firebase > Web App > ServiceNow > Table - GCP > Firebase > Web App > ServiceNow > Table > Definition - GCP > Firebase > iOS App > ServiceNow - GCP > Firebase > iOS App > ServiceNow > Configuration Item - GCP > Firebase > iOS App > ServiceNow > Configuration Item > Record - GCP > Firebase > iOS App > ServiceNow > Configuration Item > Table Definition - GCP > Firebase > iOS App > ServiceNow > Table - GCP > Firebase > iOS App > ServiceNow > Table > Definition

aws-secretsmanager v5.7.0 - Secret CMDB control would go into an error state if Guardrails did not have permissions to describe a secret

Tue, 27 Feb 2024 09:00:00 GMT

_What's new?_ - The `AWS > Secrets Manager > Secret > CMDB` control would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the `AWS > Secrets Manager > Secret > CMDB` policy to `Enforce: Enabled but ignore permission errors`.

aws-iam v5.34.0 - You can now attach custom IAM Groups to Guardrails users

Tue, 27 Feb 2024 09:00:00 GMT

_What's new?_ - You can now attach custom IAM Groups to Guardrails users if the `AWS > Turbot > Permissions` policy is set to `Enforce: User Mode`. To get started, set the `AWS > Turbot > Permissions > Custom Group Levels [Account]` policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher and `turbot-iam` mod v5.11.0 or higher. - Policy Types: - AWS > Turbot > Permissions > Custom Group Levels [Account] - Policy Types renamed: - AWS > Turbot > Permissions > Custom Levels [Account] to AWS > Turbot > Permissions > Custom Role Levels [Account] - AWS > Turbot > Permissions > Custom Levels [Folder] to AWS > Turbot > Permissions > Custom Role Levels [Folder]

servicenow-gcp-network v5.1.0 - Added support for various network resources

Fri, 23 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Network > Address > ServiceNow - GCP > Network > Address > ServiceNow > Configuration Item - GCP > Network > Address > ServiceNow > Table - GCP > Network > Backend Bucket > ServiceNow - GCP > Network > Backend Bucket > ServiceNow > Configuration Item - GCP > Network > Backend Bucket > ServiceNow > Table - GCP > Network > Backend Service > ServiceNow - GCP > Network > Backend Service > ServiceNow > Configuration Item - GCP > Network > Backend Service > ServiceNow > Table - GCP > Network > Firewall > ServiceNow - GCP > Network > Firewall > ServiceNow > Configuration Item - GCP > Network > Firewall > ServiceNow > Table - GCP > Network > Forwarding Rule > ServiceNow - GCP > Network > Forwarding Rule > ServiceNow > Configuration Item - GCP > Network > Forwarding Rule > ServiceNow > Table - GCP > Network > Global Address > ServiceNow - GCP > Network > Global Address > ServiceNow > Configuration Item - GCP > Network > Global Address > ServiceNow > Table - GCP > Network > Global Forwarding Rule > ServiceNow - GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item - GCP > Network > Global Forwarding Rule > ServiceNow > Table - GCP > Network > Interconnect > ServiceNow - GCP > Network > Interconnect > ServiceNow > Configuration Item - GCP > Network > Interconnect > ServiceNow > Table - GCP > Network > Packet Mirroring > ServiceNow - GCP > Network > Packet Mirroring > ServiceNow > Configuration Item - GCP > Network > Packet Mirroring > ServiceNow > Table - GCP > Network > Region Backend Service > ServiceNow - GCP > Network > Region Backend Service > ServiceNow > Configuration Item - GCP > Network > Region Backend Service > ServiceNow > Table - GCP > Network > Region SSL Certificate > ServiceNow - GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item - GCP > Network > Region SSL Certificate > ServiceNow > Table - GCP > Network > Region Target HTTPS Proxy > ServiceNow - GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item - GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table - GCP > Network > Region URL Map > ServiceNow - GCP > Network > Region URL Map > ServiceNow > Configuration Item - GCP > Network > Region URL Map > ServiceNow > Table - GCP > Network > Route > ServiceNow - GCP > Network > Route > ServiceNow > Configuration Item - GCP > Network > Route > ServiceNow > Table - GCP > Network > Router > ServiceNow - GCP > Network > Router > ServiceNow > Configuration Item - GCP > Network > Router > ServiceNow > Table - GCP > Network > SSL Certificate > ServiceNow - GCP > Network > SSL Certificate > ServiceNow > Configuration Item - GCP > Network > SSL Certificate > ServiceNow > Table - GCP > Network > SSL Policy > ServiceNow - GCP > Network > SSL Policy > ServiceNow > Configuration Item - GCP > Network > SSL Policy > ServiceNow > Table - GCP > Network > Target HTTPS Proxy > ServiceNow - GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item - GCP > Network > Target HTTPS Proxy > ServiceNow > Table - GCP > Network > Target Pool > ServiceNow - GCP > Network > Target Pool > ServiceNow > Configuration Item - GCP > Network > Target Pool > ServiceNow > Table - GCP > Network > Target SSL Proxy > ServiceNow - GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item - GCP > Network > Target SSL Proxy > ServiceNow > Table - GCP > Network > Target TCP Proxy > ServiceNow - GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item - GCP > Network > Target TCP Proxy > ServiceNow > Table - GCP > Network > Target VPN Gateway > ServiceNow - GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item - GCP > Network > Target VPN Gateway > ServiceNow > Table - GCP > Network > URL Map > ServiceNow - GCP > Network > URL Map > ServiceNow > Configuration Item - GCP > Network > URL Map > ServiceNow > Table - GCP > Network > VPN Tunnel > ServiceNow - GCP > Network > VPN Tunnel > ServiceNow > Configuration Item - GCP > Network > VPN Tunnel > ServiceNow > Table - Policy Types: - GCP > Network > Address > ServiceNow - GCP > Network > Address > ServiceNow > Configuration Item - GCP > Network > Address > ServiceNow > Configuration Item > Record - GCP > Network > Address > ServiceNow > Configuration Item > Table Definition - GCP > Network > Address > ServiceNow > Table - GCP > Network > Address > ServiceNow > Table > Definition - GCP > Network > Backend Bucket > ServiceNow - GCP > Network > Backend Bucket > ServiceNow > Configuration Item - GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Record - GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Table Definition - GCP > Network > Backend Bucket > ServiceNow > Table - GCP > Network > Backend Bucket > ServiceNow > Table > Definition - GCP > Network > Backend Service > ServiceNow - GCP > Network > Backend Service > ServiceNow > Configuration Item - GCP > Network > Backend Service > ServiceNow > Configuration Item > Record - GCP > Network > Backend Service > ServiceNow > Configuration Item > Table Definition - GCP > Network > Backend Service > ServiceNow > Table - GCP > Network > Backend Service > ServiceNow > Table > Definition - GCP > Network > Firewall > ServiceNow - GCP > Network > Firewall > ServiceNow > Configuration Item - GCP > Network > Firewall > ServiceNow > Configuration Item > Record - GCP > Network > Firewall > ServiceNow > Configuration Item > Table Definition - GCP > Network > Firewall > ServiceNow > Table - GCP > Network > Firewall > ServiceNow > Table > Definition - GCP > Network > Forwarding Rule > ServiceNow - GCP > Network > Forwarding Rule > ServiceNow > Configuration Item - GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Record - GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Table Definition - GCP > Network > Forwarding Rule > ServiceNow > Table - GCP > Network > Forwarding Rule > ServiceNow > Table > Definition - GCP > Network > Global Address > ServiceNow - GCP > Network > Global Address > ServiceNow > Configuration Item - GCP > Network > Global Address > ServiceNow > Configuration Item > Record - GCP > Network > Global Address > ServiceNow > Configuration Item > Table Definition - GCP > Network > Global Address > ServiceNow > Table - GCP > Network > Global Address > ServiceNow > Table > Definition - GCP > Network > Global Forwarding Rule > ServiceNow - GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item - GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Record - GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Table Definition - GCP > Network > Global Forwarding Rule > ServiceNow > Table - GCP > Network > Global Forwarding Rule > ServiceNow > Table > Definition - GCP > Network > Interconnect > ServiceNow - GCP > Network > Interconnect > ServiceNow > Configuration Item - GCP > Network > Interconnect > ServiceNow > Configuration Item > Record - GCP > Network > Interconnect > ServiceNow > Configuration Item > Table Definition - GCP > Network > Interconnect > ServiceNow > Table - GCP > Network > Interconnect > ServiceNow > Table > Definition - GCP > Network > Packet Mirroring > ServiceNow - GCP > Network > Packet Mirroring > ServiceNow > Configuration Item - GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Record - GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Table Definition - GCP > Network > Packet Mirroring > ServiceNow > Table - GCP > Network > Packet Mirroring > ServiceNow > Table > Definition - GCP > Network > Region Backend Service > ServiceNow - GCP > Network > Region Backend Service > ServiceNow > Configuration Item - GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Record - GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Table Definition - GCP > Network > Region Backend Service > ServiceNow > Table - GCP > Network > Region Backend Service > ServiceNow > Table > Definition - GCP > Network > Region SSL Certificate > ServiceNow - GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item - GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Record - GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Table Definition - GCP > Network > Region SSL Certificate > ServiceNow > Table - GCP > Network > Region SSL Certificate > ServiceNow > Table > Definition - GCP > Network > Region Target HTTPS Proxy > ServiceNow - GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item - GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Record - GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition - GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table - GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table > Definition - GCP > Network > Region URL Map > ServiceNow - GCP > Network > Region URL Map > ServiceNow > Configuration Item - GCP > Network > Region URL Map > ServiceNow > Configuration Item > Record - GCP > Network > Region URL Map > ServiceNow > Configuration Item > Table Definition - GCP > Network > Region URL Map > ServiceNow > Table - GCP > Network > Region URL Map > ServiceNow > Table > Definition - GCP > Network > Route > ServiceNow - GCP > Network > Route > ServiceNow > Configuration Item - GCP > Network > Route > ServiceNow > Configuration Item > Record - GCP > Network > Route > ServiceNow > Configuration Item > Table Definition - GCP > Network > Route > ServiceNow > Table - GCP > Network > Route > ServiceNow > Table > Definition - GCP > Network > Router > ServiceNow - GCP > Network > Router > ServiceNow > Configuration Item - GCP > Network > Router > ServiceNow > Configuration Item > Record - GCP > Network > Router > ServiceNow > Configuration Item > Table Definition - GCP > Network > Router > ServiceNow > Table - GCP > Network > Router > ServiceNow > Table > Definition - GCP > Network > SSL Certificate > ServiceNow - GCP > Network > SSL Certificate > ServiceNow > Configuration Item - GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Record - GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Table Definition - GCP > Network > SSL Certificate > ServiceNow > Table - GCP > Network > SSL Certificate > ServiceNow > Table > Definition - GCP > Network > SSL Policy > ServiceNow - GCP > Network > SSL Policy > ServiceNow > Configuration Item - GCP > Network > SSL Policy > ServiceNow > Configuration Item > Record - GCP > Network > SSL Policy > ServiceNow > Configuration Item > Table Definition - GCP > Network > SSL Policy > ServiceNow > Table - GCP > Network > SSL Policy > ServiceNow > Table > Definition - GCP > Network > Target HTTPS Proxy > ServiceNow - GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item - GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Record - GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition - GCP > Network > Target HTTPS Proxy > ServiceNow > Table - GCP > Network > Target HTTPS Proxy > ServiceNow > Table > Definition - GCP > Network > Target Pool > ServiceNow - GCP > Network > Target Pool > ServiceNow > Configuration Item - GCP > Network > Target Pool > ServiceNow > Configuration Item > Record - GCP > Network > Target Pool > ServiceNow > Configuration Item > Table Definition - GCP > Network > Target Pool > ServiceNow > Table - GCP > Network > Target Pool > ServiceNow > Table > Definition - GCP > Network > Target SSL Proxy > ServiceNow - GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item - GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Record - GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Table Definition - GCP > Network > Target SSL Proxy > ServiceNow > Table - GCP > Network > Target SSL Proxy > ServiceNow > Table > Definition - GCP > Network > Target TCP Proxy > ServiceNow - GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item - GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Record - GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Table Definition - GCP > Network > Target TCP Proxy > ServiceNow > Table - GCP > Network > Target TCP Proxy > ServiceNow > Table > Definition - GCP > Network > Target VPN Gateway > ServiceNow - GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item - GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Record - GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Table Definition - GCP > Network > Target VPN Gateway > ServiceNow > Table - GCP > Network > Target VPN Gateway > ServiceNow > Table > Definition - GCP > Network > URL Map > ServiceNow - GCP > Network > URL Map > ServiceNow > Configuration Item - GCP > Network > URL Map > ServiceNow > Configuration Item > Record - GCP > Network > URL Map > ServiceNow > Configuration Item > Table Definition - GCP > Network > URL Map > ServiceNow > Table - GCP > Network > URL Map > ServiceNow > Table > Definition - GCP > Network > VPN Tunnel > ServiceNow - GCP > Network > VPN Tunnel > ServiceNow > Configuration Item - GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Record - GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Table Definition - GCP > Network > VPN Tunnel > ServiceNow > Table - GCP > Network > VPN Tunnel > ServiceNow > Table > Definition

aws-vpc-security v5.9.4 - Bug fixed - VPC Stack control would sometimes fail to claim existing Flow Logs in Guardrails CMDB

Thu, 22 Feb 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > VPC > Stack` control would sometimes fail to claim existing Flow Logs in Guardrails CMDB. This is now fixed.

servicenow-gcp-iam v5.0.0 is now available

Wed, 21 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > IAM > Project Role > ServiceNow - GCP > IAM > Project Role > ServiceNow > Configuration Item - GCP > IAM > Project Role > ServiceNow > Table - GCP > IAM > Project User > ServiceNow - GCP > IAM > Project User > ServiceNow > Configuration Item - GCP > IAM > Project User > ServiceNow > Table - GCP > IAM > Service Account > ServiceNow - GCP > IAM > Service Account > ServiceNow > Configuration Item - GCP > IAM > Service Account > ServiceNow > Table - GCP > IAM > Service Account Key > ServiceNow - GCP > IAM > Service Account Key > ServiceNow > Configuration Item - GCP > IAM > Service Account Key > ServiceNow > Table - GCP > Project > Policy > ServiceNow - GCP > Project > Policy > ServiceNow > Configuration Item - GCP > Project > Policy > ServiceNow > Table - Policy Types: - GCP > IAM > Project Role > ServiceNow - GCP > IAM > Project Role > ServiceNow > Configuration Item - GCP > IAM > Project Role > ServiceNow > Configuration Item > Record - GCP > IAM > Project Role > ServiceNow > Configuration Item > Table Definition - GCP > IAM > Project Role > ServiceNow > Table - GCP > IAM > Project Role > ServiceNow > Table > Definition - GCP > IAM > Project User > ServiceNow - GCP > IAM > Project User > ServiceNow > Configuration Item - GCP > IAM > Project User > ServiceNow > Configuration Item > Record - GCP > IAM > Project User > ServiceNow > Configuration Item > Table Definition - GCP > IAM > Project User > ServiceNow > Table - GCP > IAM > Project User > ServiceNow > Table > Definition - GCP > IAM > Service Account > ServiceNow - GCP > IAM > Service Account > ServiceNow > Configuration Item - GCP > IAM > Service Account > ServiceNow > Configuration Item > Record - GCP > IAM > Service Account > ServiceNow > Configuration Item > Table Definition - GCP > IAM > Service Account > ServiceNow > Table - GCP > IAM > Service Account > ServiceNow > Table > Definition - GCP > IAM > Service Account Key > ServiceNow - GCP > IAM > Service Account Key > ServiceNow > Configuration Item - GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Record - GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Table Definition - GCP > IAM > Service Account Key > ServiceNow > Table - GCP > IAM > Service Account Key > ServiceNow > Table > Definition - GCP > Project > Policy > ServiceNow - GCP > Project > Policy > ServiceNow > Configuration Item - GCP > Project > Policy > ServiceNow > Configuration Item > Record - GCP > Project > Policy > ServiceNow > Configuration Item > Table Definition - GCP > Project > Policy > ServiceNow > Table - GCP > Project > Policy > ServiceNow > Table > Definition

servicenow-gcp-functions v5.0.0 is now available

Wed, 21 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Functions > Function > ServiceNow - GCP > Functions > Function > ServiceNow > Configuration Item - GCP > Functions > Function > ServiceNow > Table - Policy Types: - GCP > Functions > Function > ServiceNow - GCP > Functions > Function > ServiceNow > Configuration Item - GCP > Functions > Function > ServiceNow > Configuration Item > Record - GCP > Functions > Function > ServiceNow > Configuration Item > Table Definition - GCP > Functions > Function > ServiceNow > Table - GCP > Functions > Function > ServiceNow > Table > Definition

aws-sns v5.15.1 - Bug fixed - SNS Subscription CMDB control would go into an error state if Guardrails did not have permissions to describe a subscription

Wed, 21 Feb 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > SNS > Subscription > CMDB` control would go into an error state if Guardrails did not have permissions to describe a subscription. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the `AWS > SNS > Subscription > CMDB` policy to `Enforce: Enabled but ignore permission errors`.

servicenow-gcp v5.1.0 - Added support for GCP Projects

Tue, 20 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Project > ServiceNow - GCP > Project > ServiceNow > Configuration Item - GCP > Project > ServiceNow > Table - Policy Types: - GCP > Project > ServiceNow - GCP > Project > ServiceNow > Configuration Item - GCP > Project > ServiceNow > Configuration Item > Record - GCP > Project > ServiceNow > Configuration Item > Table Definition - GCP > Project > ServiceNow > Table - GCP > Project > ServiceNow > Table > Definition

servicenow-gcp-memorystore v5.0.0 is now available

Tue, 20 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Memorystore > Instance > ServiceNow - GCP > Memorystore > Instance > ServiceNow > Configuration Item - GCP > Memorystore > Instance > ServiceNow > Table - Policy Types: - GCP > Memorystore > Instance > ServiceNow - GCP > Memorystore > Instance > ServiceNow > Configuration Item - GCP > Memorystore > Instance > ServiceNow > Configuration Item > Record - GCP > Memorystore > Instance > ServiceNow > Configuration Item > Table Definition - GCP > Memorystore > Instance > ServiceNow > Table - GCP > Memorystore > Instance > ServiceNow > Table > Definition

servicenow-gcp-storage v5.1.0 - Added support for Storage Objects

Mon, 19 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Storage > Object > ServiceNow - GCP > Storage > Object > ServiceNow > Configuration Item - GCP > Storage > Object > ServiceNow > Table - Policy Types: - GCP > Storage > Object > ServiceNow - GCP > Storage > Object > ServiceNow > Configuration Item - GCP > Storage > Object > ServiceNow > Configuration Item > Record - GCP > Storage > Object > ServiceNow > Configuration Item > Table Definition - GCP > Storage > Object > ServiceNow > Table - GCP > Storage > Object > ServiceNow > Table > Definition

servicenow-gcp-secretmanager v5.0.0 is now available

Mon, 19 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Secret Manager > Secret > ServiceNow - GCP > Secret Manager > Secret > ServiceNow > Configuration Item - GCP > Secret Manager > Secret > ServiceNow > Table - Policy Types: - GCP > Secret Manager > Secret > ServiceNow - GCP > Secret Manager > Secret > ServiceNow > Configuration Item - GCP > Secret Manager > Secret > ServiceNow > Configuration Item > Record - GCP > Secret Manager > Secret > ServiceNow > Configuration Item > Table Definition - GCP > Secret Manager > Secret > ServiceNow > Table - GCP > Secret Manager > Secret > ServiceNow > Table > Definition

servicenow-gcp-scheduler v5.0.0 is now available

Mon, 19 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Scheduler > Job > ServiceNow - GCP > Scheduler > Job > ServiceNow > Configuration Item - GCP > Scheduler > Job > ServiceNow > Table - Policy Types: - GCP > Scheduler > Job > ServiceNow - GCP > Scheduler > Job > ServiceNow > Configuration Item - GCP > Scheduler > Job > ServiceNow > Configuration Item > Record - GCP > Scheduler > Job > ServiceNow > Configuration Item > Table Definition - GCP > Scheduler > Job > ServiceNow > Table - GCP > Scheduler > Job > ServiceNow > Table > Definition

servicenow-gcp-dataproc v5.0.0 is now available

Mon, 19 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Dataproc > Cluster > ServiceNow - GCP > Dataproc > Cluster > ServiceNow > Configuration Item - GCP > Dataproc > Cluster > ServiceNow > Table - GCP > Dataproc > Job > ServiceNow - GCP > Dataproc > Job > ServiceNow > Configuration Item - GCP > Dataproc > Job > ServiceNow > Table - GCP > Dataproc > Workflow Template > ServiceNow - GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item - GCP > Dataproc > Workflow Template > ServiceNow > Table - Policy Types: - GCP > Dataproc > Cluster > ServiceNow - GCP > Dataproc > Cluster > ServiceNow > Configuration Item - GCP > Dataproc > Cluster > ServiceNow > Configuration Item > Record - GCP > Dataproc > Cluster > ServiceNow > Configuration Item > Table Definition - GCP > Dataproc > Cluster > ServiceNow > Table - GCP > Dataproc > Cluster > ServiceNow > Table > Definition - GCP > Dataproc > Job > ServiceNow - GCP > Dataproc > Job > ServiceNow > Configuration Item - GCP > Dataproc > Job > ServiceNow > Configuration Item > Record - GCP > Dataproc > Job > ServiceNow > Configuration Item > Table Definition - GCP > Dataproc > Job > ServiceNow > Table - GCP > Dataproc > Job > ServiceNow > Table > Definition - GCP > Dataproc > Workflow Template > ServiceNow - GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item - GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item > Record - GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item > Table Definition - GCP > Dataproc > Workflow Template > ServiceNow > Table - GCP > Dataproc > Workflow Template > ServiceNow > Table > Definition

servicenow-gcp-composer v5.0.0 is now available

Mon, 19 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Composer > Environment > ServiceNow - GCP > Composer > Environment > ServiceNow > Configuration Item - GCP > Composer > Environment > ServiceNow > Table - Policy Types: - GCP > Composer > Environment > ServiceNow - GCP > Composer > Environment > ServiceNow > Configuration Item - GCP > Composer > Environment > ServiceNow > Configuration Item > Record - GCP > Composer > Environment > ServiceNow > Configuration Item > Table Definition - GCP > Composer > Environment > ServiceNow > Table - GCP > Composer > Environment > ServiceNow > Table > Definition

servicenow-gcp-monitoring v5.0.0 is now available

Fri, 16 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Monitoring > Alert Policy > ServiceNow - GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item - GCP > Monitoring > Alert Policy > ServiceNow > Table - GCP > Monitoring > Group > ServiceNow - GCP > Monitoring > Group > ServiceNow > Configuration Item - GCP > Monitoring > Group > ServiceNow > Table - GCP > Monitoring > Notification Channel > ServiceNow - GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item - GCP > Monitoring > Notification Channel > ServiceNow > Table - Policy Types: - GCP > Monitoring > Alert Policy > ServiceNow - GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item - GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item > Record - GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item > Table Definition - GCP > Monitoring > Alert Policy > ServiceNow > Table - GCP > Monitoring > Alert Policy > ServiceNow > Table > Definition - GCP > Monitoring > Group > ServiceNow - GCP > Monitoring > Group > ServiceNow > Configuration Item - GCP > Monitoring > Group > ServiceNow > Configuration Item > Record - GCP > Monitoring > Group > ServiceNow > Configuration Item > Table Definition - GCP > Monitoring > Group > ServiceNow > Table - GCP > Monitoring > Group > ServiceNow > Table > Definition - GCP > Monitoring > Notification Channel > ServiceNow - GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item - GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item > Record - GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item > Table Definition - GCP > Monitoring > Notification Channel > ServiceNow > Table - GCP > Monitoring > Notification Channel > ServiceNow > Table > Definition

servicenow-gcp-dns v5.0.0 is now available

Fri, 16 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > DNS > Managed Zone > ServiceNow - GCP > DNS > Managed Zone > ServiceNow > Configuration Item - GCP > DNS > Managed Zone > ServiceNow > Table - Policy Types: - GCP > DNS > Managed Zone > ServiceNow - GCP > DNS > Managed Zone > ServiceNow > Configuration Item - GCP > DNS > Managed Zone > ServiceNow > Configuration Item > Record - GCP > DNS > Managed Zone > ServiceNow > Configuration Item > Table Definition - GCP > DNS > Managed Zone > ServiceNow > Table - GCP > DNS > Managed Zone > ServiceNow > Table > Definition

servicenow-gcp-datapipeline v5.0.0 is now available

Fri, 16 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Datapipeline > Pipeline > ServiceNow - GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item - GCP > Datapipeline > Pipeline > ServiceNow > Table - Policy Types: - GCP > Datapipeline > Pipeline > ServiceNow - GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item - GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item > Record - GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item > Table Definition - GCP > Datapipeline > Pipeline > ServiceNow > Table - GCP > Datapipeline > Pipeline > ServiceNow > Table > Definition

servicenow-gcp-dataflow v5.0.0 is now available

Fri, 16 Feb 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Dataflow > Job > ServiceNow - GCP > Dataflow > Job > ServiceNow > Configuration Item - GCP > Dataflow > Job > ServiceNow > Table - Policy Types: - GCP > Dataflow > Job > ServiceNow - GCP > Dataflow > Job > ServiceNow > Configuration Item - GCP > Dataflow > Job > ServiceNow > Configuration Item > Record - GCP > Dataflow > Job > ServiceNow > Configuration Item > Table Definition - GCP > Dataflow > Job > ServiceNow > Table - GCP > Dataflow > Job > ServiceNow > Table > Definition

gcp-computeengine v5.18.1 - Bug fixed - Instance Template CMDB control would go into an error state due to a bad internal build

Fri, 16 Feb 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Compute Engine > Instance Template > CMDB` control would sometimes go into an error state due to a bad internal build. This is fixed and the control will now work as expected.

azure v5.18.2 - Bug fixed - Guardrails would sometimes fail to import Azure Subscriptions

Fri, 16 Feb 2024 09:00:00 GMT

_Bug fixes_ - Due to an inadvertently introduced issue with an internal build for `Azure > Subscription`, importing subscriptions encountered schema validation problems. This issue has been resolved, and you can now successfully import subscriptions as before.

aws-ec2 v5.39.1 - Bugs fixed - Guardrails would sometimes upsert Snapshots and Volumes with incorrect AKAs

Fri, 16 Feb 2024 09:00:00 GMT

_Bug fixes_ - In the previous version, while we improved on the way we discovered missing Snapshots and Volumes while processing their update events, we inadvertently introduced a bug where some resources were upserted with incorrect AKAs. Such resources with malformed AKAs should now be cleaned up automatically from the environment, and Guardrails will now discover resources more correctly and consistently than before. - In a previous version (v5.31.4), we implemented a feature to Discover Instances while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.

aws v5.29.3 - Added support for `ap-northeast-3` in the `AWS > Account > Regions` policy

Tue, 13 Feb 2024 09:00:00 GMT

_What's new?_ - Added support for `ap-northeast-3` in the `AWS > Account > Regions` policy.

aws-logs v5.12.1 - Added support for newer `ap-` and `eu-` regions in the `AWS > Logs > Regions` policy

Tue, 13 Feb 2024 09:00:00 GMT

_What's new?_ - Added support for `af-south-1`, `ap-northeast-3`, `ap-south-2`, `ap-southeast-3`, `ap-southeast-4`, `ca-west-1`, `eu-central-2`, `eu-south-1`, `eu-south-2`, `il-central-1` and `me-central-1` regions in the `AWS > Logs > Regions` policy.

aws-ec2 v5.39.0 - You can now configure Block Public Access for Snapshots

Tue, 13 Feb 2024 09:00:00 GMT

_What's new?_ - You can now configure Block Public Access for Snapshots. To get started, set the `AWS > EC2 > Account Attributes > Block Public Access for Snapshots` policy. - You can now also disable Block Public Access for AMIs. To get started, set the `AWS > EC2 > Account Attributes > Block Public Access for AMIs` policy. - `AWS/EC2/Admin`, `AWS/EC2/Metadata` and `AWS/EC2/Operator` now includes permissions for Verified Access Endpoints, Verified Access Groups and Verified Access Trust Providers. - Control Types: - AWS > EC2 > Account Attributes > Block Public Access for Snapshots - Policy Types: - AWS > EC2 > Account Attributes > Block Public Access for Snapshots - Action Types: - AWS > EC2 > Account Attributes > Update Block Public Access for Snapshots _Bug fixes_ - In a previous version (v5.31.4), we implemented a feature to Discover Snapshots and Volumes while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.

Turbot Guardrails Enterprise Foundation (TEF) v1.56.0 - Added `Deny: *` for HTTP traffic in Turbot Policy Parameter for SNS Policy

Wed, 07 Feb 2024 09:00:00 GMT

_What's new?_ - Updated: MaxPalyloadSize parameter description. - Updated: Turbot Policy Parameter to add back `Deny: *` for HTTP in SNS Policy.

Turbot Guardrails Enterprise Database (TED) v1.39.0 - Added support for Postgres versions 13.12 and 13.13

Wed, 07 Feb 2024 09:00:00 GMT

_What's new?_ - Added: Postgres versions 13.12 and 13.13. - Updated: CloudWatch Alarms will now use TEF SNS topic.

Turbot Guardrails Enterprise (TE) v5.42.17 - Added explicit Deny policy for HTTP traffic

Wed, 07 Feb 2024 09:00:00 GMT

_Bug fixes_ - Server - Added the `Deny:*` policy for HTTP traffic back to the turbot-policy-parameter custom lambda code. - Event DLQ should not set the control or policy value to error if there has been a new process started for the control or policy value. - Run next should drop the events in case of recursive loop. - Add additional retryable throttling codes for actions. _Requirements_ - TEF: 1.55.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-dataproc v5.8.0 - Lambda runtimes now powered by Node 18

Wed, 07 Feb 2024 09:00:00 GMT

gcp-composer v5.4.0 - Lambda runtimes now powered by Node 18

Wed, 07 Feb 2024 09:00:00 GMT

gcp-spanner v5.8.0 - Lambda runtimes now powered by Node 18

Tue, 06 Feb 2024 09:00:00 GMT

Terraform Provider v1.10.1 is now available

Mon, 05 Feb 2024 09:00:00 GMT

v1.10.1 of the [Terraform Provider for Guardrails](https://registry.terraform.io/providers/turbot/turbot/1.10.1) is now available. _Bug fixes_ - `resource/turbot_file`: terraform apply failed to update `content` of an existing File in Guardrails. This is now fixed.

gcp-logging v5.4.0 - Lambda runtimes now powered by Node 18

Mon, 05 Feb 2024 09:00:00 GMT

Mon, 05 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

azure-applicationgateway v5.7.0 - Lambda runtimes now powered by Node 18

Mon, 05 Feb 2024 09:00:00 GMT

aws-ec2 v5.38.1 - Bugs Fixed - Discovery control for Key Pair would go into an error state due to unhandled escape characters

Mon, 05 Feb 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > EC2 > Key Pair > Discovery` control would sometimes go into an error state if a Key Pair alias included escape characters. This is now fixed. - Control Types renamed: - `AWS > EC2 > Volume > Configuration` to `AWS > EC2 > Volume > Performance Configuration` - Policy Types renamed: - `AWS > EC2 > Volume > Configuration` to `AWS > EC2 > Volume > Performance Configuration` - `AWS > EC2 > Volume > Configuration > IOPS Capacity` to `AWS > EC2 > Volume > Performance Configuration > IOPS Capacity` - `AWS > EC2 > Volume > Configuration > Throughput` to `AWS > EC2 > Volume > Performance Configuration > Throughput` - `AWS > EC2 > Volume > Configuration > Type` to `AWS > EC2 > Volume > Performance Configuration > Type` - Action Types renamed: - `AWS > EC2 > Volume > Update Configuration` to `AWS > EC2 > Volume > Update Performance Configuration`

turbot v5.42.1 - Policy Setting Expiration control will now run every 12 hours by default

Sun, 04 Feb 2024 09:00:00 GMT

_Bug fixes_ - The `Turbot > Policy Setting Expiration` control will now run every 12 hours to manage policy setting expirations more consistently than before.

gcp-network v5.13.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

gcp-iam v5.13.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

gcp-bigtable v5.8.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

gcp-appengine v5.3.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

azure-sql v5.13.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

azure-provider v5.10.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

azure-loganalytics v5.8.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

azure-loadbalancer v5.7.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

azure-iam v5.11.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

azure-dns v5.8.0 - Lambda runtimes now powered by Node 18

Fri, 02 Feb 2024 09:00:00 GMT

gcp v5.23.3 - Bug fixed - Org Policy details will now be properly and consistently sorted for Projects

Thu, 01 Feb 2024 09:00:00 GMT

_Bug fixes_ - The Org policy details in the Project CMDB data will now be properly and consistently sorted.

gcp-storage v5.11.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

gcp-sql v5.8.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

gcp-scheduler v5.4.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

gcp-pubsub v5.8.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

gcp-monitoring v5.6.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

gcp-dns v5.6.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

gcp-build v5.2.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

azure-storage v5.15.0 - Lambda runtimes now powered by Node 18

Thu, 01 Feb 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

servicenow-gcp-spanner v5.0.0 is now available

Thu, 25 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Cloud Run > Service > ServiceNow - GCP > Cloud Run > Service > ServiceNow > Configuration Item - GCP > Cloud Run > Service > ServiceNow > Table - Policy Types: - GCP > Cloud Run > Service > ServiceNow - GCP > Cloud Run > Service > ServiceNow > Configuration Item - GCP > Cloud Run > Service > ServiceNow > Configuration Item > Record - GCP > Cloud Run > Service > ServiceNow > Configuration Item > Table Definition - GCP > Cloud Run > Service > ServiceNow > Table - GCP > Cloud Run > Service > ServiceNow > Table > Definition

servicenow-gcp-run v5.0.0 is now available

Thu, 25 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Spanner > Database > ServiceNow - GCP > Spanner > Database > ServiceNow > Configuration Item - GCP > Spanner > Database > ServiceNow > Table - GCP > Spanner > Instance > ServiceNow - GCP > Spanner > Instance > ServiceNow > Configuration Item - GCP > Spanner > Instance > ServiceNow > Table - Policy Types: - GCP > Spanner > Database > ServiceNow - GCP > Spanner > Database > ServiceNow > Configuration Item - GCP > Spanner > Database > ServiceNow > Configuration Item > Record - GCP > Spanner > Database > ServiceNow > Configuration Item > Table Definition - GCP > Spanner > Database > ServiceNow > Table - GCP > Spanner > Database > ServiceNow > Table > Definition - GCP > Spanner > Instance > ServiceNow - GCP > Spanner > Instance > ServiceNow > Configuration Item - GCP > Spanner > Instance > ServiceNow > Configuration Item > Record - GCP > Spanner > Instance > ServiceNow > Configuration Item > Table Definition - GCP > Spanner > Instance > ServiceNow > Table - GCP > Spanner > Instance > ServiceNow > Table > Definition

aws-ec2 v5.38.0 - You can now configure Volume Type, IOPS Capacity and Throughput for EBS Volumes

Thu, 25 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - AWS > EC2 > Volume > Configuration - Policy Types: - AWS > EC2 > Volume > Configuration - AWS > EC2 > Volume > Configuration > IOPS Capacity - AWS > EC2 > Volume > Configuration > Throughput - AWS > EC2 > Volume > Configuration > Type - Action Types: - AWS > EC2 > Volume > Update Configuration

Turbot Guardrails Enterprise (TE) v5.42.16 - Added MAX_PAYLOAD_SIZE parameter to customize API size limit

Fri, 19 Jan 2024 09:00:00 GMT

_What's new?_ - Server - You can now update API size limit via the MAX_PAYLOAD_SIZE parameter. _Requirements_ - TEF: 1.55.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

gcp-datapipeline v5.1.0 - Lambda runtimes now powered by Node 18

Fri, 19 Jan 2024 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

aws-kinesis v5.9.0 - Added support for Kinesis Video Streams

Fri, 19 Jan 2024 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > Kinesis > Kinesis Video Stream - Control Types: - AWS > Kinesis > Kinesis Video Stream > Active - AWS > Kinesis > Kinesis Video Stream > Approved - AWS > Kinesis > Kinesis Video Stream > CMDB - AWS > Kinesis > Kinesis Video Stream > Discovery - AWS > Kinesis > Kinesis Video Stream > Tags - Policy Types: - AWS > Kinesis > Kinesis Video Stream > Active - AWS > Kinesis > Kinesis Video Stream > Active > Age - AWS > Kinesis > Kinesis Video Stream > Active > Budget - AWS > Kinesis > Kinesis Video Stream > Active > Last Modified - AWS > Kinesis > Kinesis Video Stream > Approved - AWS > Kinesis > Kinesis Video Stream > Approved > Budget - AWS > Kinesis > Kinesis Video Stream > Approved > Custom - AWS > Kinesis > Kinesis Video Stream > Approved > Regions - AWS > Kinesis > Kinesis Video Stream > Approved > Usage - AWS > Kinesis > Kinesis Video Stream > CMDB - AWS > Kinesis > Kinesis Video Stream > Regions - AWS > Kinesis > Kinesis Video Stream > Tags - AWS > Kinesis > Kinesis Video Stream > Tags > Template - Action Types: - AWS > Kinesis > Kinesis Video Stream > Delete - AWS > Kinesis > Kinesis Video Stream > Delete from AWS - AWS > Kinesis > Kinesis Video Stream > Router - AWS > Kinesis > Kinesis Video Stream > Set Tags - AWS > Kinesis > Kinesis Video Stream > Skip alarm for Active control - AWS > Kinesis > Kinesis Video Stream > Skip alarm for Active control [90 days] - AWS > Kinesis > Kinesis Video Stream > Skip alarm for Approved control - AWS > Kinesis > Kinesis Video Stream > Skip alarm for Approved control [90 days] - AWS > Kinesis > Kinesis Video Stream > Skip alarm for Tags control - AWS > Kinesis > Kinesis Video Stream > Skip alarm for Tags control [90 days] - AWS > Kinesis > Kinesis Video Stream > Update Tags

servicenow-gcp-logging v5.0.0 is now available

Thu, 18 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Logging > Exclusion > ServiceNow - GCP > Logging > Exclusion > ServiceNow > Configuration Item - GCP > Logging > Exclusion > ServiceNow > Table - GCP > Logging > Metric > ServiceNow - GCP > Logging > Metric > ServiceNow > Configuration Item - GCP > Logging > Metric > ServiceNow > Table - GCP > Logging > Sink > ServiceNow - GCP > Logging > Sink > ServiceNow > Configuration Item - GCP > Logging > Sink > ServiceNow > Table - Policy Types: - GCP > Logging > Exclusion > ServiceNow - GCP > Logging > Exclusion > ServiceNow > Configuration Item - GCP > Logging > Exclusion > ServiceNow > Configuration Item > Record - GCP > Logging > Exclusion > ServiceNow > Configuration Item > Table Definition - GCP > Logging > Exclusion > ServiceNow > Table - GCP > Logging > Exclusion > ServiceNow > Table > Definition - GCP > Logging > Metric > ServiceNow - GCP > Logging > Metric > ServiceNow > Configuration Item - GCP > Logging > Metric > ServiceNow > Configuration Item > Record - GCP > Logging > Metric > ServiceNow > Configuration Item > Table Definition - GCP > Logging > Metric > ServiceNow > Table - GCP > Logging > Metric > ServiceNow > Table > Definition - GCP > Logging > Sink > ServiceNow - GCP > Logging > Sink > ServiceNow > Configuration Item - GCP > Logging > Sink > ServiceNow > Configuration Item > Record - GCP > Logging > Sink > ServiceNow > Configuration Item > Table Definition - GCP > Logging > Sink > ServiceNow > Table - GCP > Logging > Sink > ServiceNow > Table > Definition

servicenow-gcp-computeengine v5.1.0 - Added support for HTTP Health Check, HTTPS Health Check, Health Check, Instance Template, Node Group, Node Template, Project, Region Disk and Region Health Check

Thu, 18 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Compute Engine > HTTP Health Check > ServiceNow - GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > HTTP Health Check > ServiceNow > Table - GCP > Compute Engine > HTTPS Health Check > ServiceNow - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table - GCP > Compute Engine > Health Check > ServiceNow - GCP > Compute Engine > Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > Health Check > ServiceNow > Table - GCP > Compute Engine > Instance Template > ServiceNow - GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item - GCP > Compute Engine > Instance Template > ServiceNow > Table - GCP > Compute Engine > Node Group > ServiceNow - GCP > Compute Engine > Node Group > ServiceNow > Configuration Item - GCP > Compute Engine > Node Group > ServiceNow > Table - GCP > Compute Engine > Node Template > ServiceNow - GCP > Compute Engine > Node Template > ServiceNow > Configuration Item - GCP > Compute Engine > Node Template > ServiceNow > Table - GCP > Compute Engine > Project > ServiceNow - GCP > Compute Engine > Project > ServiceNow > Configuration Item - GCP > Compute Engine > Project > ServiceNow > Table - GCP > Compute Engine > Region Disk > ServiceNow - GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item - GCP > Compute Engine > Region Disk > ServiceNow > Table - GCP > Compute Engine > Region Health Check > ServiceNow - GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > Region Health Check > ServiceNow > Table - Policy Types: - GCP > Compute Engine > HTTP Health Check > ServiceNow - GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item > Record - GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > HTTP Health Check > ServiceNow > Table - GCP > Compute Engine > HTTP Health Check > ServiceNow > Table > Definition - GCP > Compute Engine > HTTPS Health Check > ServiceNow - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item > Record - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table - GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table > Definition - GCP > Compute Engine > Health Check > ServiceNow - GCP > Compute Engine > Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > Health Check > ServiceNow > Configuration Item > Record - GCP > Compute Engine > Health Check > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > Health Check > ServiceNow > Table - GCP > Compute Engine > Health Check > ServiceNow > Table > Definition - GCP > Compute Engine > Instance Template > ServiceNow - GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item - GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item > Record - GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > Instance Template > ServiceNow > Table - GCP > Compute Engine > Instance Template > ServiceNow > Table > Definition - GCP > Compute Engine > Node Group > ServiceNow - GCP > Compute Engine > Node Group > ServiceNow > Configuration Item - GCP > Compute Engine > Node Group > ServiceNow > Configuration Item > Record - GCP > Compute Engine > Node Group > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > Node Group > ServiceNow > Table - GCP > Compute Engine > Node Group > ServiceNow > Table > Definition - GCP > Compute Engine > Node Template > ServiceNow - GCP > Compute Engine > Node Template > ServiceNow > Configuration Item - GCP > Compute Engine > Node Template > ServiceNow > Configuration Item > Record - GCP > Compute Engine > Node Template > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > Node Template > ServiceNow > Table - GCP > Compute Engine > Node Template > ServiceNow > Table > Definition - GCP > Compute Engine > Project > ServiceNow - GCP > Compute Engine > Project > ServiceNow > Configuration Item - GCP > Compute Engine > Project > ServiceNow > Configuration Item > Record - GCP > Compute Engine > Project > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > Project > ServiceNow > Table - GCP > Compute Engine > Project > ServiceNow > Table > Definition - GCP > Compute Engine > Region Disk > ServiceNow - GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item - GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item > Record - GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > Region Disk > ServiceNow > Table - GCP > Compute Engine > Region Disk > ServiceNow > Table > Definition - GCP > Compute Engine > Region Health Check > ServiceNow - GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item - GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item > Record - GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item > Table Definition - GCP > Compute Engine > Region Health Check > ServiceNow > Table - GCP > Compute Engine > Region Health Check > ServiceNow > Table > Definition

turbot v5.47.0 - Added policy to set native stack version

Wed, 17 Jan 2024 09:00:00 GMT

_What's new?_ - Policy Types: - Turbot > Stack > Native Stack Version [Default] _Requirements_ - TE: 5.35.4

servicenow-gcp-sql v5.1.0 - Added support for Backup and Database

Wed, 17 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > SQL > Backup > ServiceNow - GCP > SQL > Backup > ServiceNow > Configuration Item - GCP > SQL > Backup > ServiceNow > Table - GCP > SQL > Database > ServiceNow - GCP > SQL > Database > ServiceNow > Configuration Item - GCP > SQL > Database > ServiceNow > Table - Policy Types: - GCP > SQL > Backup > ServiceNow - GCP > SQL > Backup > ServiceNow > Configuration Item - GCP > SQL > Backup > ServiceNow > Configuration Item > Record - GCP > SQL > Backup > ServiceNow > Configuration Item > Table Definition - GCP > SQL > Backup > ServiceNow > Table - GCP > SQL > Backup > ServiceNow > Table > Definition - GCP > SQL > Database > ServiceNow - GCP > SQL > Database > ServiceNow > Configuration Item - GCP > SQL > Database > ServiceNow > Configuration Item > Record - GCP > SQL > Database > ServiceNow > Configuration Item > Table Definition - GCP > SQL > Database > ServiceNow > Table - GCP > SQL > Database > ServiceNow > Table > Definition

servicenow-gcp-kms v5.0.0 is now available

Wed, 17 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > KMS > Crypto Key > ServiceNow - GCP > KMS > Crypto Key > ServiceNow > Configuration Item - GCP > KMS > Crypto Key > ServiceNow > Table - GCP > KMS > Key Ring > ServiceNow - GCP > KMS > Key Ring > ServiceNow > Configuration Item - GCP > KMS > Key Ring > ServiceNow > Table - Policy Types: - GCP > KMS > Crypto Key > ServiceNow - GCP > KMS > Crypto Key > ServiceNow > Configuration Item - GCP > KMS > Crypto Key > ServiceNow > Configuration Item > Record - GCP > KMS > Crypto Key > ServiceNow > Configuration Item > Table Definition - GCP > KMS > Crypto Key > ServiceNow > Table - GCP > KMS > Crypto Key > ServiceNow > Table > Definition - GCP > KMS > Key Ring > ServiceNow - GCP > KMS > Key Ring > ServiceNow > Configuration Item - GCP > KMS > Key Ring > ServiceNow > Configuration Item > Record - GCP > KMS > Key Ring > ServiceNow > Configuration Item > Table Definition - GCP > KMS > Key Ring > ServiceNow > Table - GCP > KMS > Key Ring > ServiceNow > Table > Definition

servicenow-gcp-bigquery v5.0.0 is now available

Wed, 17 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > BigQuery > Dataset > ServiceNow - GCP > BigQuery > Dataset > ServiceNow > Configuration Item - GCP > BigQuery > Dataset > ServiceNow > Table - GCP > BigQuery > Table > ServiceNow - GCP > BigQuery > Table > ServiceNow > Configuration Item - GCP > BigQuery > Table > ServiceNow > Table - Policy Types: - GCP > BigQuery > Dataset > ServiceNow - GCP > BigQuery > Dataset > ServiceNow > Configuration Item - GCP > BigQuery > Dataset > ServiceNow > Configuration Item > Record - GCP > BigQuery > Dataset > ServiceNow > Configuration Item > Table Definition - GCP > BigQuery > Dataset > ServiceNow > Table - GCP > BigQuery > Dataset > ServiceNow > Table > Definition - GCP > BigQuery > Table > ServiceNow - GCP > BigQuery > Table > ServiceNow > Configuration Item - GCP > BigQuery > Table > ServiceNow > Configuration Item > Record - GCP > BigQuery > Table > ServiceNow > Configuration Item > Table Definition - GCP > BigQuery > Table > ServiceNow > Table - GCP > BigQuery > Table > ServiceNow > Table > Definition

Turbot Guardrails Enterprise (TE) v5.42.15 - Minor internal improvements

Tue, 16 Jan 2024 09:00:00 GMT

_Bug fixes_ - Server - Updated: Enhanced IAM policy for tighter access around custom Lambda. - Fixed: Turbot > Workspace > Health Control should not break if there is no input. _Requirements_ - TEF: 1.55.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-gcp-bigtable v5.0.0 is now available

Tue, 16 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Bigtable > Cluster > ServiceNow - GCP > Bigtable > Cluster > ServiceNow > Configuration Item - GCP > Bigtable > Cluster > ServiceNow > Table - GCP > Bigtable > Instance > ServiceNow - GCP > Bigtable > Instance > ServiceNow > Configuration Item - GCP > Bigtable > Instance > ServiceNow > Table - GCP > Bigtable > Table > ServiceNow - GCP > Bigtable > Table > ServiceNow > Configuration Item - GCP > Bigtable > Table > ServiceNow > Table - Policy Types: - GCP > Bigtable > Cluster > ServiceNow - GCP > Bigtable > Cluster > ServiceNow > Configuration Item - GCP > Bigtable > Cluster > ServiceNow > Configuration Item > Record - GCP > Bigtable > Cluster > ServiceNow > Configuration Item > Table Definition - GCP > Bigtable > Cluster > ServiceNow > Table - GCP > Bigtable > Cluster > ServiceNow > Table > Definition - GCP > Bigtable > Instance > ServiceNow - GCP > Bigtable > Instance > ServiceNow > Configuration Item - GCP > Bigtable > Instance > ServiceNow > Configuration Item > Record - GCP > Bigtable > Instance > ServiceNow > Configuration Item > Table Definition - GCP > Bigtable > Instance > ServiceNow > Table - GCP > Bigtable > Instance > ServiceNow > Table > Definition - GCP > Bigtable > Table > ServiceNow - GCP > Bigtable > Table > ServiceNow > Configuration Item - GCP > Bigtable > Table > ServiceNow > Configuration Item > Record - GCP > Bigtable > Table > ServiceNow > Configuration Item > Table Definition - GCP > Bigtable > Table > ServiceNow > Table - GCP > Bigtable > Table > ServiceNow > Table > Definition

servicenow-gcp-appengine v5.0.0 is now available

Tue, 16 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > App Engine > Application > ServiceNow - GCP > App Engine > Application > ServiceNow > Configuration Item - GCP > App Engine > Application > ServiceNow > Table - GCP > App Engine > Firewall Rule > ServiceNow - GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item - GCP > App Engine > Firewall Rule > ServiceNow > Table - GCP > App Engine > Instance > ServiceNow - GCP > App Engine > Instance > ServiceNow > Configuration Item - GCP > App Engine > Instance > ServiceNow > Table - GCP > App Engine > Service > ServiceNow - GCP > App Engine > Service > ServiceNow > Configuration Item - GCP > App Engine > Service > ServiceNow > Table - GCP > App Engine > Version > ServiceNow - GCP > App Engine > Version > ServiceNow > Configuration Item - GCP > App Engine > Version > ServiceNow > Table - Policy Types: - GCP > App Engine > Application > ServiceNow - GCP > App Engine > Application > ServiceNow > Configuration Item - GCP > App Engine > Application > ServiceNow > Configuration Item > Record - GCP > App Engine > Application > ServiceNow > Configuration Item > Table Definition - GCP > App Engine > Application > ServiceNow > Table - GCP > App Engine > Application > ServiceNow > Table > Definition - GCP > App Engine > Firewall Rule > ServiceNow - GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item - GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item > Record - GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item > Table Definition - GCP > App Engine > Firewall Rule > ServiceNow > Table - GCP > App Engine > Firewall Rule > ServiceNow > Table > Definition - GCP > App Engine > Instance > ServiceNow - GCP > App Engine > Instance > ServiceNow > Configuration Item - GCP > App Engine > Instance > ServiceNow > Configuration Item > Record - GCP > App Engine > Instance > ServiceNow > Configuration Item > Table Definition - GCP > App Engine > Instance > ServiceNow > Table - GCP > App Engine > Instance > ServiceNow > Table > Definition - GCP > App Engine > Service > ServiceNow - GCP > App Engine > Service > ServiceNow > Configuration Item - GCP > App Engine > Service > ServiceNow > Configuration Item > Record - GCP > App Engine > Service > ServiceNow > Configuration Item > Table Definition - GCP > App Engine > Service > ServiceNow > Table - GCP > App Engine > Service > ServiceNow > Table > Definition - GCP > App Engine > Version > ServiceNow - GCP > App Engine > Version > ServiceNow > Configuration Item - GCP > App Engine > Version > ServiceNow > Configuration Item > Record - GCP > App Engine > Version > ServiceNow > Configuration Item > Table Definition - GCP > App Engine > Version > ServiceNow > Table - GCP > App Engine > Version > ServiceNow > Table > Definition

gcp v5.23.2 - Bug Fixed - Event Poller control will now run lighter and quicker than before

Tue, 16 Jan 2024 09:00:00 GMT

_Bug fixes_ - The `GCP > Turbot > Event Poller` control now includes a precheck condition to avoid running GraphQL input queries when the `GCP > Turbot > Event Poller` policy is set to `Disabled`. You won’t notice any difference and the control should run lighter and quicker than before.

azure v5.18.1 - Bug Fixed - Event Poller controls will now run lighter and quicker than before

Tue, 16 Jan 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Turbot > Event Poller` and `Azure > Turbot > Management Group Event Poller` controls now include a precheck condition to avoid running GraphQL input queries when the `Azure > Turbot > Event Poller` and `Azure > Turbot > Management Group Event Poller` policies are set to `Disabled` respectively. You won’t notice any difference and the controls should run lighter and quicker than before.

azure-activedirectory v5.4.1 - Bug Fixed - Event Poller control will now run lighter and quicker than before

Tue, 16 Jan 2024 09:00:00 GMT

_Bug fixes_ - The `Azure > Turbot > Directory Event Poller` control now includes a precheck condition to avoid running GraphQL input queries when the `Azure > Turbot > Directory Event Poller` policy is set to `Disabled`. You won’t notice any difference and the control should run lighter and quicker than before.

aws v5.29.2 - Bug Fixed - Event Poller control will now run lighter and quicker than before

Tue, 16 Jan 2024 09:00:00 GMT

_Bug fixes_ - The `AWS > Turbot > Event Poller` control now includes a precheck condition to avoid running GraphQL input queries when the `AWS > Turbot > Event Poller` policy is set to `Disabled`. You won’t notice any difference and the control should run lighter and quicker than before.

aws-opensearch v5.0.0 is now available

Tue, 16 Jan 2024 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > OpenSearch - Policy Types: - AWS > OpenSearch > API Enabled - AWS > OpenSearch > Approved Regions [Default] - AWS > OpenSearch > Enabled - AWS > OpenSearch > Permissions - AWS > OpenSearch > Permissions > Levels - AWS > OpenSearch > Permissions > Levels > Modifiers - AWS > OpenSearch > Permissions > Lockdown - AWS > OpenSearch > Permissions > Lockdown > API Boundary - AWS > OpenSearch > Regions - AWS > OpenSearch > Tags Template [Default] - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-opensearch - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-opensearch - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-opensearch

servicenow-azure v5.1.0 - Added support for Resource Group, Subscription and Tenant

Fri, 12 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Resource Group > ServiceNow - Azure > Resource Group > ServiceNow > Configuration Item - Azure > Resource Group > ServiceNow > Table - Azure > Subscription > ServiceNow - Azure > Subscription > ServiceNow > Configuration Item - Azure > Subscription > ServiceNow > Table - Azure > Tenant > ServiceNow - Azure > Tenant > ServiceNow > Configuration Item - Azure > Tenant > ServiceNow > Table - Policy Types: - Azure > Resource Group > ServiceNow - Azure > Resource Group > ServiceNow > Configuration Item - Azure > Resource Group > ServiceNow > Configuration Item > Record - Azure > Resource Group > ServiceNow > Configuration Item > Table Definition - Azure > Resource Group > ServiceNow > Table - Azure > Resource Group > ServiceNow > Table > Definition - Azure > Subscription > ServiceNow - Azure > Subscription > ServiceNow > Configuration Item - Azure > Subscription > ServiceNow > Configuration Item > Record - Azure > Subscription > ServiceNow > Configuration Item > Table Definition - Azure > Subscription > ServiceNow > Table - Azure > Subscription > ServiceNow > Table > Definition - Azure > Tenant > ServiceNow - Azure > Tenant > ServiceNow > Configuration Item - Azure > Tenant > ServiceNow > Configuration Item > Record - Azure > Tenant > ServiceNow > Configuration Item > Table Definition - Azure > Tenant > ServiceNow > Table - Azure > Tenant > ServiceNow > Table > Definition

servicenow-azure-network v5.2.0 - Added support for Private Endpoints

Thu, 11 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Network > Private Endpoints > ServiceNow - Azure > Network > Private Endpoints > ServiceNow > Configuration Item - Azure > Network > Private Endpoints > ServiceNow > Table - Policy Types: - Azure > Network > Private Endpoints > ServiceNow - Azure > Network > Private Endpoints > ServiceNow > Configuration Item - Azure > Network > Private Endpoints > ServiceNow > Configuration Item > Record - Azure > Network > Private Endpoints > ServiceNow > Configuration Item > Table Definition - Azure > Network > Private Endpoints > ServiceNow > Table - Azure > Network > Private Endpoints > ServiceNow > Table > Definition

servicenow-azure-automation v5.0.0 is now available

Thu, 11 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Automation > Automation Account > ServiceNow - Azure > Automation > Automation Account > ServiceNow > Configuration Item - Azure > Automation > Automation Account > ServiceNow > Table - Azure > Automation > Runbook > ServiceNow - Azure > Automation > Runbook > ServiceNow > Configuration Item - Azure > Automation > Runbook > ServiceNow > Table - Policy Types: - Azure > Automation > Automation Account > ServiceNow - Azure > Automation > Automation Account > ServiceNow > Configuration Item - Azure > Automation > Automation Account > ServiceNow > Configuration Item > Record - Azure > Automation > Automation Account > ServiceNow > Configuration Item > Table Definition - Azure > Automation > Automation Account > ServiceNow > Table - Azure > Automation > Automation Account > ServiceNow > Table > Definition - Azure > Automation > Runbook > ServiceNow - Azure > Automation > Runbook > ServiceNow > Configuration Item - Azure > Automation > Runbook > ServiceNow > Configuration Item > Record - Azure > Automation > Runbook > ServiceNow > Configuration Item > Table Definition - Azure > Automation > Runbook > ServiceNow > Table - Azure > Automation > Runbook > ServiceNow > Table > Definition

aws-ec2 v5.37.0 - Added support for `aws_network_interface_sg_attachment` Terraform resource for Elastic Network Interfaces

Thu, 11 Jan 2024 09:00:00 GMT

_What's new?_ - Added support for `aws_network_interface_sg_attachment` Terraform resource for `AWS > EC2 > Network Interface`. _Bug fixes_ - The `AWS > EC2 > Instance > CMDB` control would sometimes trigger multiple times if `EnclaveOptions` was not set as part of the `AWS > EC2 > Instance > CMDB > Attributes` policy. This would result in unnecessary Lambda runs for the control. The `EnclaveOptions` attribute is now available in the CMDB data by default and the `EnclaveOptions` policy value in `AWS > EC2 > Instance > CMDB > Attributes` policy has now been deprecated, and will be removed in the next major version.

Turbot Guardrails Enterprise Foundation (TEF) v1.54.0 - Updated Launch Template to prevent association of Network Interface with public IPs

Wed, 10 Jan 2024 09:00:00 GMT

_What's new?_ - Updated: Launch Template to prevent association of Network Interface with public IPs.

servicenow-azure-storage v5.1.0 is now available

Wed, 10 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Storage > Container > ServiceNow - Azure > Storage > Container > ServiceNow > Configuration Item - Azure > Storage > Container > ServiceNow > Table - Azure > Storage > FileShare > ServiceNow - Azure > Storage > FileShare > ServiceNow > Configuration Item - Azure > Storage > FileShare > ServiceNow > Table - Azure > Storage > Queue > ServiceNow - Azure > Storage > Queue > ServiceNow > Configuration Item - Azure > Storage > Queue > ServiceNow > Table - Policy Types: - Azure > Storage > Container > ServiceNow - Azure > Storage > Container > ServiceNow > Configuration Item - Azure > Storage > Container > ServiceNow > Configuration Item > Record - Azure > Storage > Container > ServiceNow > Configuration Item > Table Definition - Azure > Storage > Container > ServiceNow > Table - Azure > Storage > Container > ServiceNow > Table > Definition - Azure > Storage > FileShare > ServiceNow - Azure > Storage > FileShare > ServiceNow > Configuration Item - Azure > Storage > FileShare > ServiceNow > Configuration Item > Record - Azure > Storage > FileShare > ServiceNow > Configuration Item > Table Definition - Azure > Storage > FileShare > ServiceNow > Table - Azure > Storage > FileShare > ServiceNow > Table > Definition - Azure > Storage > Queue > ServiceNow - Azure > Storage > Queue > ServiceNow > Configuration Item - Azure > Storage > Queue > ServiceNow > Configuration Item > Record - Azure > Storage > Queue > ServiceNow > Configuration Item > Table Definition - Azure > Storage > Queue > ServiceNow > Table - Azure > Storage > Queue > ServiceNow > Table > Definition

servicenow-azure-recoveryservice v5.0.0 is now available

Wed, 10 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Recovery Service > Backup > ServiceNow - Azure > Recovery Service > Backup > ServiceNow > Configuration Item - Azure > Recovery Service > Backup > ServiceNow > Table - Azure > Recovery Service > Vault > ServiceNow - Azure > Recovery Service > Vault > ServiceNow > Configuration Item - Azure > Recovery Service > Vault > ServiceNow > Table - Policy Types: - Azure > Recovery Service > Backup > ServiceNow - Azure > Recovery Service > Backup > ServiceNow > Configuration Item - Azure > Recovery Service > Backup > ServiceNow > Configuration Item > Record - Azure > Recovery Service > Backup > ServiceNow > Configuration Item > Table Definition - Azure > Recovery Service > Backup > ServiceNow > Table - Azure > Recovery Service > Backup > ServiceNow > Table > Definition - Azure > Recovery Service > Vault > ServiceNow - Azure > Recovery Service > Vault > ServiceNow > Configuration Item - Azure > Recovery Service > Vault > ServiceNow > Configuration Item > Record - Azure > Recovery Service > Vault > ServiceNow > Configuration Item > Table Definition - Azure > Recovery Service > Vault > ServiceNow > Table - Azure > Recovery Service > Vault > ServiceNow > Table > Definition

servicenow-azure-monitor v5.0.0 is now available

Wed, 10 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Monitor > Action Group > ServiceNow - Azure > Monitor > Action Group > ServiceNow > Configuration Item - Azure > Monitor > Action Group > ServiceNow > Table - Azure > Monitor > Alerts > ServiceNow - Azure > Monitor > Alerts > ServiceNow > Configuration Item - Azure > Monitor > Alerts > ServiceNow > Table - Azure > Monitor > Log Profile > ServiceNow - Azure > Monitor > Log Profile > ServiceNow > Configuration Item - Azure > Monitor > Log Profile > ServiceNow > Table - Policy Types: - Azure > Monitor > Action Group > ServiceNow - Azure > Monitor > Action Group > ServiceNow > Configuration Item - Azure > Monitor > Action Group > ServiceNow > Configuration Item > Record - Azure > Monitor > Action Group > ServiceNow > Configuration Item > Table Definition - Azure > Monitor > Action Group > ServiceNow > Table - Azure > Monitor > Action Group > ServiceNow > Table > Definition - Azure > Monitor > Alerts > ServiceNow - Azure > Monitor > Alerts > ServiceNow > Configuration Item - Azure > Monitor > Alerts > ServiceNow > Configuration Item > Record - Azure > Monitor > Alerts > ServiceNow > Configuration Item > Table Definition - Azure > Monitor > Alerts > ServiceNow > Table - Azure > Monitor > Alerts > ServiceNow > Table > Definition - Azure > Monitor > Log Profile > ServiceNow - Azure > Monitor > Log Profile > ServiceNow > Configuration Item - Azure > Monitor > Log Profile > ServiceNow > Configuration Item > Record - Azure > Monitor > Log Profile > ServiceNow > Configuration Item > Table Definition - Azure > Monitor > Log Profile > ServiceNow > Table - Azure > Monitor > Log Profile > ServiceNow > Table > Definition

servicenow-gcp-kubernetesengine v5.0.0 is now available

Tue, 09 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Kubernetes Engine > Region Cluster > ServiceNow - GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table - GCP > Kubernetes Engine > Region Node Pool > ServiceNow - GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table - GCP > Kubernetes Engine > Zone Cluster > ServiceNow - GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table - Policy Types: - GCP > Kubernetes Engine > Region Cluster > ServiceNow - GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item > Record - GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item > Table Definition - GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table - GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table > Definition - GCP > Kubernetes Engine > Region Node Pool > ServiceNow - GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item > Record - GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item > Table Definition - GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table - GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table > Definition - GCP > Kubernetes Engine > Zone Cluster > ServiceNow - GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item > Record - GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item > Table Definition - GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table - GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table > Definition - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item > Record - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item > Table Definition - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table - GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table > Definition

servicenow-azure-iam v5.0.0 is now available

Tue, 09 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > IAM > Role Assignment > ServiceNow - Azure > IAM > Role Assignment > ServiceNow > Configuration Item - Azure > IAM > Role Assignment > ServiceNow > Table - Azure > IAM > Role Definition > ServiceNow - Azure > IAM > Role Definition > ServiceNow > Configuration Item - Azure > IAM > Role Definition > ServiceNow > Table - Policy Types: - Azure > IAM > Role Assignment > ServiceNow - Azure > IAM > Role Assignment > ServiceNow > Configuration Item - Azure > IAM > Role Assignment > ServiceNow > Configuration Item > Record - Azure > IAM > Role Assignment > ServiceNow > Configuration Item > Table Definition - Azure > IAM > Role Assignment > ServiceNow > Table - Azure > IAM > Role Assignment > ServiceNow > Table > Definition - Azure > IAM > Role Definition > ServiceNow - Azure > IAM > Role Definition > ServiceNow > Configuration Item - Azure > IAM > Role Definition > ServiceNow > Configuration Item > Record - Azure > IAM > Role Definition > ServiceNow > Configuration Item > Table Definition - Azure > IAM > Role Definition > ServiceNow > Table - Azure > IAM > Role Definition > ServiceNow > Table > Definition

servicenow-azure-datafactory v5.0.0 is now available

Tue, 09 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Data Factory > Dataset > ServiceNow - Azure > Data Factory > Dataset > ServiceNow > Configuration Item - Azure > Data Factory > Dataset > ServiceNow > Table - Azure > Data Factory > Factory > ServiceNow - Azure > Data Factory > Factory > ServiceNow > Configuration Item - Azure > Data Factory > Factory > ServiceNow > Table - Azure > Data Factory > Pipeline > ServiceNow - Azure > Data Factory > Pipeline > ServiceNow > Configuration Item - Azure > Data Factory > Pipeline > ServiceNow > Table - Policy Types: - Azure > Data Factory > Dataset > ServiceNow - Azure > Data Factory > Dataset > ServiceNow > Configuration Item - Azure > Data Factory > Dataset > ServiceNow > Configuration Item > Record - Azure > Data Factory > Dataset > ServiceNow > Configuration Item > Table Definition - Azure > Data Factory > Dataset > ServiceNow > Table - Azure > Data Factory > Dataset > ServiceNow > Table > Definition - Azure > Data Factory > Factory > ServiceNow - Azure > Data Factory > Factory > ServiceNow > Configuration Item - Azure > Data Factory > Factory > ServiceNow > Configuration Item > Record - Azure > Data Factory > Factory > ServiceNow > Configuration Item > Table Definition - Azure > Data Factory > Factory > ServiceNow > Table - Azure > Data Factory > Factory > ServiceNow > Table > Definition - Azure > Data Factory > Pipeline > ServiceNow - Azure > Data Factory > Pipeline > ServiceNow > Configuration Item - Azure > Data Factory > Pipeline > ServiceNow > Configuration Item > Record - Azure > Data Factory > Pipeline > ServiceNow > Configuration Item > Table Definition - Azure > Data Factory > Pipeline > ServiceNow > Table - Azure > Data Factory > Pipeline > ServiceNow > Table > Definition

servicenow-azure-databricks v5.0.0 is now available

Tue, 09 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Databricks > Workspace > ServiceNow - Azure > Databricks > Workspace > ServiceNow > Configuration Item - Azure > Databricks > Workspace > ServiceNow > Table - Policy Types: - Azure > Databricks > Workspace > ServiceNow - Azure > Databricks > Workspace > ServiceNow > Configuration Item - Azure > Databricks > Workspace > ServiceNow > Configuration Item > Record - Azure > Databricks > Workspace > ServiceNow > Configuration Item > Table Definition - Azure > Databricks > Workspace > ServiceNow > Table - Azure > Databricks > Workspace > ServiceNow > Table > Definition

Turbot Guardrails Enterprise (TE) v5.42.14 - Minor internal improvements

Tue, 09 Jan 2024 09:00:00 GMT

_Bug fixes_ - Server - Minor internal improvements. _Requirements_ - TEF: 1.51.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Turbot Guardrails Enterprise (TE) v5.42.13 - Bug Fixed - Scheduled actions will now not fail for firehose-aws-sns mod

Mon, 08 Jan 2024 09:00:00 GMT

_Bug fixes_ - Server - The scheduled actions would sometimes fail to work for the firehose-aws-sns mod due an inadvertent bug introduced in TE v5.42.10. This is now fixed. _Requirements_ - TEF: 1.51.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-azure-activedirectory v5.0.0 is now available

Mon, 08 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Active Directory > Application > ServiceNow - Azure > Active Directory > Application > ServiceNow > Configuration Item - Azure > Active Directory > Application > ServiceNow > Table - Azure > Active Directory > Client Secret > ServiceNow - Azure > Active Directory > Client Secret > ServiceNow > Configuration Item - Azure > Active Directory > Client Secret > ServiceNow > Table - Azure > Active Directory > Custom Domain > ServiceNow - Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item - Azure > Active Directory > Custom Domain > ServiceNow > Table - Azure > Active Directory > Directory > ServiceNow - Azure > Active Directory > Directory > ServiceNow > Configuration Item - Azure > Active Directory > Directory > ServiceNow > Table - Azure > Active Directory > Group > ServiceNow - Azure > Active Directory > Group > ServiceNow > Configuration Item - Azure > Active Directory > Group > ServiceNow > Table - Azure > Active Directory > Service Principal > ServiceNow - Azure > Active Directory > Service Principal > ServiceNow > Configuration Item - Azure > Active Directory > Service Principal > ServiceNow > Table - Azure > Active Directory > User > ServiceNow - Azure > Active Directory > User > ServiceNow > Configuration Item - Azure > Active Directory > User > ServiceNow > Table - Policy Types: - Azure > Active Directory > Application > ServiceNow - Azure > Active Directory > Application > ServiceNow > Configuration Item - Azure > Active Directory > Application > ServiceNow > Configuration Item > Record - Azure > Active Directory > Application > ServiceNow > Configuration Item > Table Definition - Azure > Active Directory > Application > ServiceNow > Table - Azure > Active Directory > Application > ServiceNow > Table > Definition - Azure > Active Directory > Client Secret > ServiceNow - Azure > Active Directory > Client Secret > ServiceNow > Configuration Item - Azure > Active Directory > Client Secret > ServiceNow > Configuration Item > Record - Azure > Active Directory > Client Secret > ServiceNow > Configuration Item > Table Definition - Azure > Active Directory > Client Secret > ServiceNow > Table - Azure > Active Directory > Client Secret > ServiceNow > Table > Definition - Azure > Active Directory > Custom Domain > ServiceNow - Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item - Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item > Record - Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item > Table Definition - Azure > Active Directory > Custom Domain > ServiceNow > Table - Azure > Active Directory > Custom Domain > ServiceNow > Table > Definition - Azure > Active Directory > Directory > ServiceNow - Azure > Active Directory > Directory > ServiceNow > Configuration Item - Azure > Active Directory > Directory > ServiceNow > Configuration Item > Record - Azure > Active Directory > Directory > ServiceNow > Configuration Item > Table Definition - Azure > Active Directory > Directory > ServiceNow > Table - Azure > Active Directory > Directory > ServiceNow > Table > Definition - Azure > Active Directory > Group > ServiceNow - Azure > Active Directory > Group > ServiceNow > Configuration Item - Azure > Active Directory > Group > ServiceNow > Configuration Item > Record - Azure > Active Directory > Group > ServiceNow > Configuration Item > Table Definition - Azure > Active Directory > Group > ServiceNow > Table - Azure > Active Directory > Group > ServiceNow > Table > Definition - Azure > Active Directory > Service Principal > ServiceNow - Azure > Active Directory > Service Principal > ServiceNow > Configuration Item - Azure > Active Directory > Service Principal > ServiceNow > Configuration Item > Record - Azure > Active Directory > Service Principal > ServiceNow > Configuration Item > Table Definition - Azure > Active Directory > Service Principal > ServiceNow > Table - Azure > Active Directory > Service Principal > ServiceNow > Table > Definition - Azure > Active Directory > User > ServiceNow - Azure > Active Directory > User > ServiceNow > Configuration Item - Azure > Active Directory > User > ServiceNow > Configuration Item > Record - Azure > Active Directory > User > ServiceNow > Configuration Item > Table Definition - Azure > Active Directory > User > ServiceNow > Table - Azure > Active Directory > User > ServiceNow > Table > Definition

servicenow-gcp-pubsub v5.0.0 is now available

Fri, 05 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - GCP > Pub/Sub > Snapshot > ServiceNow - GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item - GCP > Pub/Sub > Snapshot > ServiceNow > Table - GCP > Pub/Sub > Subscription > ServiceNow - GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item - GCP > Pub/Sub > Subscription > ServiceNow > Table - GCP > Pub/Sub > Topic > ServiceNow - GCP > Pub/Sub > Topic > ServiceNow > Configuration Item - GCP > Pub/Sub > Topic > ServiceNow > Table - Policy Types: - GCP > Pub/Sub > Snapshot > ServiceNow - GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item - GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item > Record - GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item > Table Definition - GCP > Pub/Sub > Snapshot > ServiceNow > Table - GCP > Pub/Sub > Snapshot > ServiceNow > Table > Definition - GCP > Pub/Sub > Subscription > ServiceNow - GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item - GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item > Record - GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item > Table Definition - GCP > Pub/Sub > Subscription > ServiceNow > Table - GCP > Pub/Sub > Subscription > ServiceNow > Table > Definition - GCP > Pub/Sub > Topic > ServiceNow - GCP > Pub/Sub > Topic > ServiceNow > Configuration Item - GCP > Pub/Sub > Topic > ServiceNow > Configuration Item > Record - GCP > Pub/Sub > Topic > ServiceNow > Configuration Item > Table Definition - GCP > Pub/Sub > Topic > ServiceNow > Table - GCP > Pub/Sub > Topic > ServiceNow > Table > Definition

servicenow-azure-synapseanalytics v5.0.0 is now available

Fri, 05 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Synapse Analytics > SQL Pool > ServiceNow - Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item - Azure > Synapse Analytics > SQL Pool > ServiceNow > Table - Azure > Synapse Analytics > Workspace > ServiceNow - Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item - Azure > Synapse Analytics > Workspace > ServiceNow > Table - Policy Types: - Azure > Synapse Analytics > SQL Pool > ServiceNow - Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item - Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item > Record - Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item > Table Definition - Azure > Synapse Analytics > SQL Pool > ServiceNow > Table - Azure > Synapse Analytics > SQL Pool > ServiceNow > Table > Definition - Azure > Synapse Analytics > Workspace > ServiceNow - Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item - Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item > Record - Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item > Table Definition - Azure > Synapse Analytics > Workspace > ServiceNow > Table - Azure > Synapse Analytics > Workspace > ServiceNow > Table > Definition

servicenow-azure-sqlvirtualmachine v5.0.0 is now available

Fri, 05 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Search Management > Search Service > ServiceNow - Azure > Search Management > Search Service > ServiceNow > Configuration Item - Azure > Search Management > Search Service > ServiceNow > Table - Policy Types: - Azure > Search Management > Search Service > ServiceNow - Azure > Search Management > Search Service > ServiceNow > Configuration Item - Azure > Search Management > Search Service > ServiceNow > Configuration Item > Record - Azure > Search Management > Search Service > ServiceNow > Configuration Item > Table Definition - Azure > Search Management > Search Service > ServiceNow > Table - Azure > Search Management > Search Service > ServiceNow > Table > Definition

servicenow-azure-servicebus v5.0.0 is now available

Fri, 05 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Service Bus > Namespace > ServiceNow - Azure > Service Bus > Namespace > ServiceNow > Configuration Item - Azure > Service Bus > Namespace > ServiceNow > Table - Azure > Service Bus > Queue > ServiceNow - Azure > Service Bus > Queue > ServiceNow > Configuration Item - Azure > Service Bus > Queue > ServiceNow > Table - Azure > Service Bus > Topic > ServiceNow - Azure > Service Bus > Topic > ServiceNow > Configuration Item - Azure > Service Bus > Topic > ServiceNow > Table - Policy Types: - Azure > Service Bus > Namespace > ServiceNow - Azure > Service Bus > Namespace > ServiceNow > Configuration Item - Azure > Service Bus > Namespace > ServiceNow > Configuration Item > Record - Azure > Service Bus > Namespace > ServiceNow > Configuration Item > Table Definition - Azure > Service Bus > Namespace > ServiceNow > Table - Azure > Service Bus > Namespace > ServiceNow > Table > Definition - Azure > Service Bus > Queue > ServiceNow - Azure > Service Bus > Queue > ServiceNow > Configuration Item - Azure > Service Bus > Queue > ServiceNow > Configuration Item > Record - Azure > Service Bus > Queue > ServiceNow > Configuration Item > Table Definition - Azure > Service Bus > Queue > ServiceNow > Table - Azure > Service Bus > Queue > ServiceNow > Table > Definition - Azure > Service Bus > Topic > ServiceNow - Azure > Service Bus > Topic > ServiceNow > Configuration Item - Azure > Service Bus > Topic > ServiceNow > Configuration Item > Record - Azure > Service Bus > Topic > ServiceNow > Configuration Item > Table Definition - Azure > Service Bus > Topic > ServiceNow > Table - Azure > Service Bus > Topic > ServiceNow > Table > Definition

servicenow-azure-loadbalancer v5.0.0 is now available

Fri, 05 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Load Balancer > Load Balance > ServiceNow - Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item - Azure > Load Balancer > Load Balance > ServiceNow > Table - Policy Types: - Azure > Load Balancer > Load Balance > ServiceNow - Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item - Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item > Record - Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item > Table Definition - Azure > Load Balancer > Load Balance > ServiceNow > Table - Azure > Load Balancer > Load Balance > ServiceNow > Table > Definition

servicenow-azure-dns v5.0.0 is now available

Fri, 05 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > DNS > Record Set > ServiceNow - Azure > DNS > Record Set > ServiceNow > Configuration Item - Azure > DNS > Record Set > ServiceNow > Table - Azure > DNS > Zone > ServiceNow - Azure > DNS > Zone > ServiceNow > Configuration Item - Azure > DNS > Zone > ServiceNow > Table - Policy Types: - Azure > DNS > Record Set > ServiceNow - Azure > DNS > Record Set > ServiceNow > Configuration Item - Azure > DNS > Record Set > ServiceNow > Configuration Item > Record - Azure > DNS > Record Set > ServiceNow > Configuration Item > Table Definition - Azure > DNS > Record Set > ServiceNow > Table - Azure > DNS > Record Set > ServiceNow > Table > Definition - Azure > DNS > Zone > ServiceNow - Azure > DNS > Zone > ServiceNow > Configuration Item - Azure > DNS > Zone > ServiceNow > Configuration Item > Record - Azure > DNS > Zone > ServiceNow > Configuration Item > Table Definition - Azure > DNS > Zone > ServiceNow > Table - Azure > DNS > Zone > ServiceNow > Table > Definition

servicenow-azure-cosmosdb v5.0.0 is now available

Fri, 05 Jan 2024 09:00:00 GMT

_What's new?_ - Control Types: - Azure > Cosmos DB > Database Account > ServiceNow - Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item - Azure > Cosmos DB > Database Account > ServiceNow > Table - Azure > Cosmos DB > MongoDB Collection > ServiceNow - Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item - Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table - Azure > Cosmos DB > MongoDB Database > ServiceNow - Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item - Azure > Cosmos DB > MongoDB Database > ServiceNow > Table - Azure > Cosmos DB > SQL Container > ServiceNow - Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item - Azure > Cosmos DB > SQL Container > ServiceNow > Table - Azure > Cosmos DB > SQL Database > ServiceNow - Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item - Azure > Cosmos DB > SQL Database > ServiceNow > Table - Policy Types: - Azure > Cosmos DB > Database Account > ServiceNow - Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item - Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item > Record - Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item > Table Definition - Azure > Cosmos DB > Database Account > ServiceNow > Table - Azure > Cosmos DB > Database Account > ServiceNow > Table > Definition - Azure > Cosmos DB > MongoDB Collection > ServiceNow - Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item - Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item > Record - Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item > Table Definition - Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table - Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table > Definition - Azure > Cosmos DB > MongoDB Database > ServiceNow - Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item - Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item > Record - Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item > Table Definition - Azure > Cosmos DB > MongoDB Database > ServiceNow > Table - Azure > Cosmos DB > MongoDB Database > ServiceNow > Table > Definition - Azure > Cosmos DB > SQL Container > ServiceNow - Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item - Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item > Record - Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item > Table Definition - Azure > Cosmos DB > SQL Container > ServiceNow > Table - Azure > Cosmos DB > SQL Container > ServiceNow > Table > Definition - Azure > Cosmos DB > SQL Database > ServiceNow - Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item - Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item > Record - Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item > Table Definition - Azure > Cosmos DB > SQL Database > ServiceNow > Table - Azure > Cosmos DB > SQL Database > ServiceNow > Table > Definition

Turbot Guardrails Enterprise (TE) v5.42.12 - Policy updated for Mod Lambda SNS topic

Thu, 04 Jan 2024 09:00:00 GMT

_What's new?_ - Server - Updated: Enhanced IAM policy for tighter access around Mod Lambda SNS topic. _Requirements_ - TEF: 1.51.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

Thu, 07 Dec 2023 09:00:00 GMT

_Bug fixes_ - Server - Updated TE stack to enable propagation of custom tags to ECS tasks. - Updated @turbot/aws-sdk to 5.13.0, @turbot/fn to 5.21.0 and aws-sdk to 2.922. _Requirements_ - TEF: 1.51.0 - TED: 1.9.1 _Base images_ Alpine: 3.17.5 Ubuntu: 22.04.3

servicenow-aws-vpc-security v5.0.2 - Minor fixes on Configuration Item and Table controls

Thu, 07 Dec 2023 09:00:00 GMT

azure-securitycenter v5.2.0 - Lambda runtimes now powered by Node 18

Mon, 20 Nov 2023 09:00:00 GMT

azure-frontdoorservice v5.7.0 - Lambda runtimes now powered by Node 18

Mon, 20 Nov 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Policy Types: - Azure > Front Door > Front Door > Approved > Custom

azure-databricks v5.3.0 - Lambda runtimes now powered by Node 18

Mon, 20 Nov 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Policy Types: - Azure > Databricks > Workspace > Approved > Custom

Thu, 16 Nov 2023 09:00:00 GMT

Wed, 08 Nov 2023 09:00:00 GMT

_What's new?_ - Server - Updated: Updated the package `passport-saml` to `@node-saml/passport-saml`: 4.0.4 - Updated: The directory API to support `Require Signed Authentication Response` and `Strict Audience Validation`. - UI: - Added: Introduced UI options for `Require Signed Authentication Response` and `Strict Audience Validation` for enhanced security in SAML authentication. **Enhanced Security and Compatibility Guide for SAML Authentication** **Description** The recent package change for `@node-saml/passport-saml` has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI: 1. **Require Signed Authentication Response** 2. **Strict Audience Validation** To make it backward compatible, both of these options are initially set to `Disabled` by default. **Important Note:** This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package. **Recommendations** We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them. Here are specific recommendations for popular Identity Providers (IDPs): **Okta** - **Strict Audience Validation:** If enabled, ensure that the "Issuer ID" matches the "Audience Restriction." **OneLogin** - **Require Signed Authentication Response:** This feature should be disabled in OneLogin, as OneLogin does not support it. - **Strict Audience Validation:** If enabled, ensure that the "Issuer ID" matches the "Audience". **Azure Entra ID (Previously Known as Azure AD)** - **Require Signed Authentication Response:** If enabled, make sure you choose the `Signing option` to be "SIGN SAML response and assertion". The `Signing option` is available on the Signing Certificate page of Entra ID Please follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.

aws-outposts v5.3.0 - Lambda runtimes now powered by Node 18

Wed, 08 Nov 2023 09:00:00 GMT

aws-lightsail v5.5.0 - Quick Actions now available for all Lightsail resources; Lambda runtimes now powered by Node 18

Wed, 08 Nov 2023 09:00:00 GMT

aws-bedrock v5.0.0 is now available

Wed, 08 Nov 2023 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > Bedrock - Policy Types: - AWS > Bedrock > API Enabled - AWS > Bedrock > Approved Regions [Default] - AWS > Bedrock > Enabled - AWS > Bedrock > Permissions - AWS > Bedrock > Permissions > Levels - AWS > Bedrock > Permissions > Levels > Modifiers - AWS > Bedrock > Permissions > Lockdown - AWS > Bedrock > Permissions > Lockdown > API Boundary - AWS > Bedrock > Regions - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-bedrock - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-bedrock - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-bedrock

aws-appmesh v5.4.0 - Quick Actions now available for Mesh; Lambda runtimes now powered by Node 18

Wed, 08 Nov 2023 09:00:00 GMT

aws-rds v5.26.0 - Lambda runtimes now powered by Node 18

Tue, 07 Nov 2023 09:00:00 GMT

aws-elasticache v5.9.1 - Bug Squashed - ElastiCache Snapshot CMDB control would go into an error state due to a bad internal build

Tue, 07 Nov 2023 09:00:00 GMT

_Bug fixes_ - The `AWS > ElastiCache > Snapshot > CMDB` control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.

aws-glue v5.11.0 - Quick Actions now available for all Glue resources; Lambda runtimes now powered by Node 18

Mon, 06 Nov 2023 09:00:00 GMT

_What's new?_ - Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the `Actions` button, which will reveal a dropdown menu with available actions, and select one. See [Quick Actions](https://turbot.com/v5/docs/guides/quick-actions) for more information. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Action Types: - AWS > Glue > Crawler > Delete from AWS - AWS > Glue > Crawler > Set Tags - AWS > Glue > Crawler > Skip alarm for Active control - AWS > Glue > Crawler > Skip alarm for Active control [90 days] - AWS > Glue > Crawler > Skip alarm for Approved control - AWS > Glue > Crawler > Skip alarm for Approved control [90 days] - AWS > Glue > Crawler > Skip alarm for Tags control - AWS > Glue > Crawler > Skip alarm for Tags control [90 days] - AWS > Glue > Data Catalog > Skip alarm for Encryption at Rest control - AWS > Glue > Data Catalog > Skip alarm for Encryption at Rest control [90 days] - AWS > Glue > Database > Delete from AWS - AWS > Glue > Database > Skip alarm for Active control - AWS > Glue > Database > Skip alarm for Active control [90 days] - AWS > Glue > Database > Skip alarm for Approved control - AWS > Glue > Database > Skip alarm for Approved control [90 days] - AWS > Glue > Development Endpoint [Deprecated] > Delete from AWS - AWS > Glue > Development Endpoint [Deprecated] > Set Tags - AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Active control - AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Active control [90 days] - AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Approved control - AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Approved control [90 days] - AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Tags control - AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Tags control [90 days] - AWS > Glue > Job > Delete from AWS - AWS > Glue > Job > Set Tags - AWS > Glue > Job > Skip alarm for Active control - AWS > Glue > Job > Skip alarm for Active control [90 days] - AWS > Glue > Job > Skip alarm for Approved control - AWS > Glue > Job > Skip alarm for Approved control [90 days] - AWS > Glue > Job > Skip alarm for Tags control - AWS > Glue > Job > Skip alarm for Tags control [90 days] - AWS > Glue > ML Transform > Delete from AWS - AWS > Glue > ML Transform > Set Tags - AWS > Glue > ML Transform > Skip alarm for Active control - AWS > Glue > ML Transform > Skip alarm for Active control [90 days] - AWS > Glue > ML Transform > Skip alarm for Approved control - AWS > Glue > ML Transform > Skip alarm for Approved control [90 days] - AWS > Glue > ML Transform > Skip alarm for Tags control - AWS > Glue > ML Transform > Skip alarm for Tags control [90 days] - AWS > Glue > Security Configuration > Delete from AWS - AWS > Glue > Security Configuration > Skip alarm for Active control - AWS > Glue > Security Configuration > Skip alarm for Active control [90 days] - AWS > Glue > Security Configuration > Skip alarm for Approved control - AWS > Glue > Security Configuration > Skip alarm for Approved control [90 days] - AWS > Glue > Table > Delete from AWS - AWS > Glue > Table > Skip alarm for Active control - AWS > Glue > Table > Skip alarm for Active control [90 days] - AWS > Glue > Table > Skip alarm for Approved control - AWS > Glue > Table > Skip alarm for Approved control [90 days] - AWS > Glue > Trigger > Delete from AWS - AWS > Glue > Trigger > Set Tags - AWS > Glue > Trigger > Skip alarm for Active control - AWS > Glue > Trigger > Skip alarm for Active control [90 days] - AWS > Glue > Trigger > Skip alarm for Approved control - AWS > Glue > Trigger > Skip alarm for Approved control [90 days] - AWS > Glue > Trigger > Skip alarm for Tags control - AWS > Glue > Trigger > Skip alarm for Tags control [90 days] - AWS > Glue > Workflow > Delete from AWS - AWS > Glue > Workflow > Set Tags - AWS > Glue > Workflow > Skip alarm for Active control - AWS > Glue > Workflow > Skip alarm for Active control [90 days] - AWS > Glue > Workflow > Skip alarm for Approved control - AWS > Glue > Workflow > Skip alarm for Approved control [90 days] - AWS > Glue > Workflow > Skip alarm for Tags control - AWS > Glue > Workflow > Skip alarm for Tags control [90 days]

aws-codecommit v5.5.0 - Quick Actions now available for Repositories; Lambda runtimes now powered by Node 18

Mon, 06 Nov 2023 09:00:00 GMT

gcp v5.23.0 - You can now set a Unique Writer Identity for Logging Sinks created via Event Handlers stack

Fri, 03 Nov 2023 09:00:00 GMT

_What's new?_ - Users can now set a Unique Writer Identity for Logging Sink created via the `GCP > Turbot > Event Handlers` stack. To get started, set the `GCP > Turbot > Event Handlers > Logging > Unique Writer Identity` policy.

gcp-pubsub v5.7.2 - Guardrails' stack controls will now manage Pub/Sub Topics more reliably than before

Fri, 03 Nov 2023 09:00:00 GMT

_Bug fixes_ - Guardrails stack controls would sometimes fail to update Pub/Sub Topic resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.

gcp-logging v5.3.3 - Guardrails' stack controls will now manage Logging Sinks more reliably than before

Fri, 03 Nov 2023 09:00:00 GMT

Thu, 02 Nov 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Action Types: - AWS > VPC > Egress Only Internet Gateway > Delete from AWS - AWS > VPC > Egress Only Internet Gateway > Set Tags - AWS > VPC > Egress Only Internet Gateway > Skip alarm for Active control - AWS > VPC > Egress Only Internet Gateway > Skip alarm for Active control [90 days] - AWS > VPC > Egress Only Internet Gateway > Skip alarm for Approved control - AWS > VPC > Egress Only Internet Gateway > Skip alarm for Approved control [90 days] - AWS > VPC > Egress Only Internet Gateway > Skip alarm for Tags control - AWS > VPC > Egress Only Internet Gateway > Skip alarm for Tags control [90 days] - AWS > VPC > Elastic IP > Delete from AWS - AWS > VPC > Elastic IP > Set Tags - AWS > VPC > Elastic IP > Skip alarm for Active control - AWS > VPC > Elastic IP > Skip alarm for Active control [90 days] - AWS > VPC > Elastic IP > Skip alarm for Approved control - AWS > VPC > Elastic IP > Skip alarm for Approved control [90 days] - AWS > VPC > Elastic IP > Skip alarm for Tags control - AWS > VPC > Elastic IP > Skip alarm for Tags control [90 days] - AWS > VPC > Endpoint > Delete from AWS - AWS > VPC > Endpoint > Set Tags - AWS > VPC > Endpoint > Skip alarm for Active control - AWS > VPC > Endpoint > Skip alarm for Active control [90 days] - AWS > VPC > Endpoint > Skip alarm for Approved control - AWS > VPC > Endpoint > Skip alarm for Approved control [90 days] - AWS > VPC > Endpoint > Skip alarm for Tags control - AWS > VPC > Endpoint > Skip alarm for Tags control [90 days] - AWS > VPC > Endpoint Service > Delete from AWS - AWS > VPC > Endpoint Service > Set Tags - AWS > VPC > Endpoint Service > Skip alarm for Active control - AWS > VPC > Endpoint Service > Skip alarm for Active control [90 days] - AWS > VPC > Endpoint Service > Skip alarm for Approved control - AWS > VPC > Endpoint Service > Skip alarm for Approved control [90 days] - AWS > VPC > Endpoint Service > Skip alarm for Tags control - AWS > VPC > Endpoint Service > Skip alarm for Tags control [90 days] - AWS > VPC > Internet Gateway > Delete from AWS - AWS > VPC > Internet Gateway > Set Tags - AWS > VPC > Internet Gateway > Skip alarm for Active control - AWS > VPC > Internet Gateway > Skip alarm for Active control [90 days] - AWS > VPC > Internet Gateway > Skip alarm for Approved control - AWS > VPC > Internet Gateway > Skip alarm for Approved control [90 days] - AWS > VPC > Internet Gateway > Skip alarm for Tags control - AWS > VPC > Internet Gateway > Skip alarm for Tags control [90 days] - AWS > VPC > NAT Gateway > Delete from AWS - AWS > VPC > NAT Gateway > Set Tags - AWS > VPC > NAT Gateway > Skip alarm for Active control - AWS > VPC > NAT Gateway > Skip alarm for Active control [90 days] - AWS > VPC > NAT Gateway > Skip alarm for Approved control - AWS > VPC > NAT Gateway > Skip alarm for Approved control [90 days] - AWS > VPC > NAT Gateway > Skip alarm for Tags control - AWS > VPC > NAT Gateway > Skip alarm for Tags control [90 days]

aws-vpc-core v5.17.0 - Quick Actions now available for all VPC Core resources; Lambda runtimes now powered by Node 18

Thu, 02 Nov 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Action Types: - AWS > VPC > DHCP Options > Delete from AWS - AWS > VPC > DHCP Options > Set Tags - AWS > VPC > DHCP Options > Skip alarm for Active control - AWS > VPC > DHCP Options > Skip alarm for Active control [90 days] - AWS > VPC > DHCP Options > Skip alarm for Tags control - AWS > VPC > DHCP Options > Skip alarm for Tags control [90 days] - AWS > VPC > Route Table > Delete from AWS - AWS > VPC > Route Table > Set Tags - AWS > VPC > Route Table > Skip alarm for Active control - AWS > VPC > Route Table > Skip alarm for Active control [90 days] - AWS > VPC > Route Table > Skip alarm for Tags control - AWS > VPC > Route Table > Skip alarm for Tags control [90 days] - AWS > VPC > Subnet > Delete from AWS - AWS > VPC > Subnet > Set Tags - AWS > VPC > Subnet > Skip alarm for Active control - AWS > VPC > Subnet > Skip alarm for Active control [90 days] - AWS > VPC > Subnet > Skip alarm for Tags control - AWS > VPC > Subnet > Skip alarm for Tags control [90 days] - AWS > VPC > VPC > Delete from AWS - AWS > VPC > VPC > Set Tags - AWS > VPC > VPC > Skip alarm for Active control - AWS > VPC > VPC > Skip alarm for Active control [90 days] - AWS > VPC > VPC > Skip alarm for Tags control - AWS > VPC > VPC > Skip alarm for Tags control [90 days]

aws-sqs v5.14.0 - Lambda runtimes now powered by Node 18

Thu, 02 Nov 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

aws-sns v5.15.0 - Lambda runtimes now powered by Node 18

Wed, 01 Nov 2023 09:00:00 GMT

aws-backup v5.10.1 - Bugs Squashed - Recovery Points deleted in AWS were not cleaned up automatically via real-time events in Guardrails

Wed, 01 Nov 2023 09:00:00 GMT

_Bug fixes_ - Recovery Points deleted in AWS were not cleaned up automatically via real-time events in Guardrails. This is now fixed.

aws-vpc-connect v5.9.0 - Lambda runtimes now powered by Node 18

Tue, 31 Oct 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

aws-sagemaker v5.9.0 - Quick Actions now available for all SageMaker resources; Lambda runtimes now powered by Node 18

Tue, 31 Oct 2023 09:00:00 GMT

_What's new?_ - Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the `Actions` button, which will reveal a dropdown menu with available actions, and select one. See [Quick Actions](https://turbot.com/v5/docs/guides/quick-actions) for more information. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Added support for `ap-northeast-3` and `us-gov-east-1` regions in the `AWS > SageMaker > Regions` policy. - Policy Types: - AWS > SageMaker > Code Repository > Approved > Custom - AWS > SageMaker > Endpoint > Approved > Custom - AWS > SageMaker > Endpoint Configuration > Approved > Custom - AWS > SageMaker > Lifecycle Configuration > Approved > Custom - AWS > SageMaker > Model > Approved > Custom - AWS > SageMaker > Training Job > Approved > Custom - Action Types: - AWS > SageMaker > Code Repository > Delete from AWS - AWS > SageMaker > Code Repository > Skip alarm for Active control - AWS > SageMaker > Code Repository > Skip alarm for Active control [90 days] - AWS > SageMaker > Code Repository > Skip alarm for Approved control - AWS > SageMaker > Code Repository > Skip alarm for Approved control [90 days] - AWS > SageMaker > Domain > Delete from AWS - AWS > SageMaker > Endpoint > Delete from AWS - AWS > SageMaker > Endpoint > Set Tags - AWS > SageMaker > Endpoint > Skip alarm for Active control - AWS > SageMaker > Endpoint > Skip alarm for Active control [90 days] - AWS > SageMaker > Endpoint > Skip alarm for Approved control - AWS > SageMaker > Endpoint > Skip alarm for Approved control [90 days] - AWS > SageMaker > Endpoint > Skip alarm for Tags control - AWS > SageMaker > Endpoint > Skip alarm for Tags control [90 days] - AWS > SageMaker > Endpoint Configuration > Delete from AWS - AWS > SageMaker > Endpoint Configuration > Set Tags - AWS > SageMaker > Endpoint Configuration > Skip alarm for Active control - AWS > SageMaker > Endpoint Configuration > Skip alarm for Active control [90 days] - AWS > SageMaker > Endpoint Configuration > Skip alarm for Approved control - AWS > SageMaker > Endpoint Configuration > Skip alarm for Approved control [90 days] - AWS > SageMaker > Endpoint Configuration > Skip alarm for Tags control - AWS > SageMaker > Endpoint Configuration > Skip alarm for Tags control [90 days] - AWS > SageMaker > Lifecycle Configuration > Delete from AWS - AWS > SageMaker > Lifecycle Configuration > Skip alarm for Active control - AWS > SageMaker > Lifecycle Configuration > Skip alarm for Active control [90 days] - AWS > SageMaker > Lifecycle Configuration > Skip alarm for Approved control - AWS > SageMaker > Lifecycle Configuration > Skip alarm for Approved control [90 days] - AWS > SageMaker > Model > Delete from AWS - AWS > SageMaker > Model > Set Tags - AWS > SageMaker > Model > Skip alarm for Active control - AWS > SageMaker > Model > Skip alarm for Active control [90 days] - AWS > SageMaker > Model > Skip alarm for Approved control - AWS > SageMaker > Model > Skip alarm for Approved control [90 days] - AWS > SageMaker > Model > Skip alarm for Tags control - AWS > SageMaker > Model > Skip alarm for Tags control [90 days] - AWS > SageMaker > Notebook Instance > Delete from AWS - AWS > SageMaker > Notebook Instance > Set Tags - AWS > SageMaker > Notebook Instance > Skip alarm for Active control - AWS > SageMaker > Notebook Instance > Skip alarm for Active control [90 days] - AWS > SageMaker > Notebook Instance > Skip alarm for Approved control - AWS > SageMaker > Notebook Instance > Skip alarm for Approved control [90 days] - AWS > SageMaker > Notebook Instance > Skip alarm for Tags control - AWS > SageMaker > Notebook Instance > Skip alarm for Tags control [90 days] - AWS > SageMaker > Training Job > Set Tags - AWS > SageMaker > Training Job > Skip alarm for Active control - AWS > SageMaker > Training Job > Skip alarm for Active control [90 days] - AWS > SageMaker > Training Job > Skip alarm for Approved control - AWS > SageMaker > Training Job > Skip alarm for Approved control [90 days] - AWS > SageMaker > Training Job > Skip alarm for Tags control - AWS > SageMaker > Training Job > Skip alarm for Tags control [90 days]

aws-route53resolver v5.4.0 - Quick Actions now available for Resolver Endpoints and Rules; Lambda runtimes now powered by Node 18

Mon, 30 Oct 2023 09:00:00 GMT

aws-route53 v6.6.0 - Lambda runtimes now powered by Node 18

Mon, 30 Oct 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

aws-kms v5.17.0 - Lambda runtimes now powered by Node 18

Mon, 30 Oct 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

aws-events v5.12.0 - Quick Actions now available for Rules and Targets; Lambda runtimes now powered by Node 18

Mon, 30 Oct 2023 09:00:00 GMT

aws-waf v5.7.0 - Quick Actions now available for all WAF resources; Lambda runtimes now powered by Node 18

Fri, 27 Oct 2023 09:00:00 GMT

_What's new?_ - Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the `Actions` button, which will reveal a dropdown menu with available actions, and select one. See [Quick Actions](https://turbot.com/v5/docs/guides/quick-actions) for more information. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Action Types: - AWS > WAF > IP Set > Delete from AWS - AWS > WAF > IP Set > Skip alarm for Active control - AWS > WAF > IP Set > Skip alarm for Active control [90 days] - AWS > WAF > IP Set > Skip alarm for Approved control - AWS > WAF > IP Set > Skip alarm for Approved control [90 days] - AWS > WAF > IP Set v2 Global > Delete from AWS - AWS > WAF > IP Set v2 Global > Set Tags - AWS > WAF > IP Set v2 Global > Skip alarm for Active control - AWS > WAF > IP Set v2 Global > Skip alarm for Active control [90 days] - AWS > WAF > IP Set v2 Global > Skip alarm for Approved control - AWS > WAF > IP Set v2 Global > Skip alarm for Approved control [90 days] - AWS > WAF > IP Set v2 Global > Skip alarm for Tags control - AWS > WAF > IP Set v2 Global > Skip alarm for Tags control [90 days] - AWS > WAF > IP Set v2 Regional > Delete from AWS - AWS > WAF > IP Set v2 Regional > Set Tags - AWS > WAF > IP Set v2 Regional > Skip alarm for Active control - AWS > WAF > IP Set v2 Regional > Skip alarm for Active control [90 days] - AWS > WAF > IP Set v2 Regional > Skip alarm for Approved control - AWS > WAF > IP Set v2 Regional > Skip alarm for Approved control [90 days] - AWS > WAF > IP Set v2 Regional > Skip alarm for Tags control - AWS > WAF > IP Set v2 Regional > Skip alarm for Tags control [90 days] - AWS > WAF > Rate Based Rule > Delete from AWS - AWS > WAF > Rate Based Rule > Skip alarm for Active control - AWS > WAF > Rate Based Rule > Skip alarm for Active control [90 days] - AWS > WAF > Rate Based Rule > Skip alarm for Approved control - AWS > WAF > Rate Based Rule > Skip alarm for Approved control [90 days] - AWS > WAF > Regex Pattern Set v2 Global > Delete from AWS - AWS > WAF > Regex Pattern Set v2 Global > Set Tags - AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Active control - AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Active control [90 days] - AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Approved control - AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Approved control [90 days] - AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Tags control - AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Tags control [90 days] - AWS > WAF > Regex Pattern Set v2 Regional > Delete from AWS - AWS > WAF > Regex Pattern Set v2 Regional > Set Tags - AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Active control - AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Active control [90 days] - AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Approved control - AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Approved control [90 days] - AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Tags control - AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Tags control [90 days] - AWS > WAF > Rule > Delete from AWS - AWS > WAF > Rule > Skip alarm for Active control - AWS > WAF > Rule > Skip alarm for Active control [90 days] - AWS > WAF > Rule > Skip alarm for Approved control - AWS > WAF > Rule > Skip alarm for Approved control [90 days] - AWS > WAF > Rule Group v2 Global > Delete from AWS - AWS > WAF > Rule Group v2 Global > Set Tags - AWS > WAF > Rule Group v2 Global > Skip alarm for Active control - AWS > WAF > Rule Group v2 Global > Skip alarm for Active control [90 days] - AWS > WAF > Rule Group v2 Global > Skip alarm for Approved control - AWS > WAF > Rule Group v2 Global > Skip alarm for Approved control [90 days] - AWS > WAF > Rule Group v2 Global > Skip alarm for Tags control - AWS > WAF > Rule Group v2 Global > Skip alarm for Tags control [90 days] - AWS > WAF > Rule Group v2 Regional > Delete from AWS - AWS > WAF > Rule Group v2 Regional > Set Tags - AWS > WAF > Rule Group v2 Regional > Skip alarm for Active control - AWS > WAF > Rule Group v2 Regional > Skip alarm for Active control [90 days] - AWS > WAF > Rule Group v2 Regional > Skip alarm for Approved control - AWS > WAF > Rule Group v2 Regional > Skip alarm for Approved control [90 days] - AWS > WAF > Rule Group v2 Regional > Skip alarm for Tags control - AWS > WAF > Rule Group v2 Regional > Skip alarm for Tags control [90 days] - AWS > WAF > Web ACL > Delete from AWS - AWS > WAF > Web ACL > Set Tags - AWS > WAF > Web ACL > Skip alarm for Active control - AWS > WAF > Web ACL > Skip alarm for Active control [90 days] - AWS > WAF > Web ACL > Skip alarm for Approved control - AWS > WAF > Web ACL > Skip alarm for Approved control [90 days] - AWS > WAF > Web ACL > Skip alarm for Tags control - AWS > WAF > Web ACL > Skip alarm for Tags control [90 days] - AWS > WAF > Web ACL v2 Global > Delete from AWS - AWS > WAF > Web ACL v2 Global > Set Tags - AWS > WAF > Web ACL v2 Global > Skip alarm for Active control - AWS > WAF > Web ACL v2 Global > Skip alarm for Active control [90 days] - AWS > WAF > Web ACL v2 Global > Skip alarm for Approved control - AWS > WAF > Web ACL v2 Global > Skip alarm for Approved control [90 days] - AWS > WAF > Web ACL v2 Global > Skip alarm for Tags control - AWS > WAF > Web ACL v2 Global > Skip alarm for Tags control [90 days] - AWS > WAF > Web ACL v2 Regional > Delete from AWS - AWS > WAF > Web ACL v2 Regional > Set Tags - AWS > WAF > Web ACL v2 Regional > Skip alarm for Active control - AWS > WAF > Web ACL v2 Regional > Skip alarm for Active control [90 days] - AWS > WAF > Web ACL v2 Regional > Skip alarm for Approved control - AWS > WAF > Web ACL v2 Regional > Skip alarm for Approved control [90 days] - AWS > WAF > Web ACL v2 Regional > Skip alarm for Tags control - AWS > WAF > Web ACL v2 Regional > Skip alarm for Tags control [90 days]

aws-backup v5.10.0 - Quick Actions now available for all Backup resources; Lambda runtimes now powered by Node 18

Fri, 27 Oct 2023 09:00:00 GMT

aws-workspaces v5.3.0 - Quick Actions now available for WorkSpaces; Lambda runtimes now powered by Node 18

Thu, 26 Oct 2023 09:00:00 GMT

aws-s3 v5.23.0 - Lambda runtimes now powered by Node 18

Wed, 25 Oct 2023 09:00:00 GMT

Tue, 24 Oct 2023 09:00:00 GMT

_What's new?_ - Server: - Updated: Downgrade passport-saml Node package to 1.3.5.

aws-ec2 v5.36.1 - Bug Squashed - Volume Discovery control would go into an error state due to bad GraphQL queries

Tue, 17 Oct 2023 09:00:00 GMT

_Bug fixes_ - The `AWS > EC2 > Volume > Discovery` control would go into an error state because of an unintended GraphQL query bug. This is fixed and the control will now work correctly as expected.

Turbot Guardrails Enterprise Foundation (TEF) v1.53.0 - Hive manager Updated to Manage New RDS Certificate

Wed, 11 Oct 2023 09:00:00 GMT

_What's new?_ - Updated: Hive manager code to include the new certificate.

Turbot Guardrails Enterprise Database (TED) v1.38.0 - New Parameter for RDS Certificate for Commercial Cloud

Wed, 11 Oct 2023 09:00:00 GMT

_What's new?_ - Added: parameter for RDS certificate for commercial cloud.

Turbot Guardrails Enterprise (TE) v5.42.3 - Bugs Squashed - Stack Control Execution Issue with Large number of Resources; RDS CA Certificate to use the latest bundled certificate

Wed, 11 Oct 2023 09:00:00 GMT

_What's new?_ - Server: - Updated: RDS CA Certificate to use the latest bundled certificate. - Updated: Updated the package passport-saml to @node-saml/passport-saml: 4.0.4 - Updated: Steampipe query in developer section now points to the correct table. - UI: - Added: Option to view Changelogs in the Help dropdown menu. _Bug fixes_ - Server: - Fixed: Stack control failed to run when a large number of resources were being managed by a stack control.

aws-guardduty v5.7.0 - Quick Actions now available for all GuardDuty resources; Lambda runtimes now powered by Node 18

Mon, 09 Oct 2023 09:00:00 GMT

aws-emr v5.7.0 - Quick Actions now available for Clusters and Security Configurations; Lambda runtimes now powered by Node 18

Mon, 09 Oct 2023 09:00:00 GMT

aws-ecs v5.6.0 - Quick Actions now available for all ECS resources; Lambda runtimes now powered by Node 18

Mon, 09 Oct 2023 09:00:00 GMT

aws-ec2 v5.36.0 - You can now Block Public Access for AMIs; Lambda runtimes now powered by Node 18

_What's new?_ - Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the `Actions` button, which will reveal a dropdown menu with available actions, and select one. See [Quick Actions](https://turbot.com/guardrails/docs/guides/quick-actions) for more information. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Action Types: - AWS > API Gateway > API > Delete from AWS - AWS > API Gateway > API > Set Tags - AWS > API Gateway > API > Skip alarm for Active control - AWS > API Gateway > API > Skip alarm for Active control [90 days] - AWS > API Gateway > API > Skip alarm for Approved control - AWS > API Gateway > API > Skip alarm for Approved control [90 days] - AWS > API Gateway > API > Skip alarm for Tags control - AWS > API Gateway > API > Skip alarm for Tags control [90 days] - AWS > API Gateway > API Key > Delete from AWS - AWS > API Gateway > API Key > Set Tags - AWS > API Gateway > API Key > Skip alarm for Active control - AWS > API Gateway > API Key > Skip alarm for Active control [90 days] - AWS > API Gateway > API Key > Skip alarm for Approved control - AWS > API Gateway > API Key > Skip alarm for Approved control [90 days] - AWS > API Gateway > API Key > Skip alarm for Tags control - AWS > API Gateway > API Key > Skip alarm for Tags control [90 days] - AWS > API Gateway > API V2 > Delete from AWS - AWS > API Gateway > API V2 > Set Tags - AWS > API Gateway > API V2 > Skip alarm for Active control - AWS > API Gateway > API V2 > Skip alarm for Active control [90 days] - AWS > API Gateway > API V2 > Skip alarm for Approved control - AWS > API Gateway > API V2 > Skip alarm for Approved control [90 days] - AWS > API Gateway > API V2 > Skip alarm for Tags control - AWS > API Gateway > API V2 > Skip alarm for Tags control [90 days] - AWS > API Gateway > Authorizer > Delete from AWS - AWS > API Gateway > Authorizer > Skip alarm for Active control - AWS > API Gateway > Authorizer > Skip alarm for Active control [90 days] - AWS > API Gateway > Authorizer > Skip alarm for Approved control - AWS > API Gateway > Authorizer > Skip alarm for Approved control [90 days] - AWS > API Gateway > Authorizer V2 > Delete from AWS - AWS > API Gateway > Authorizer V2 > Skip alarm for Active control - AWS > API Gateway > Authorizer V2 > Skip alarm for Active control [90 days] - AWS > API Gateway > Authorizer V2 > Skip alarm for Approved control - AWS > API Gateway > Authorizer V2 > Skip alarm for Approved control [90 days] - AWS > API Gateway > Domain Name V2 > Delete from AWS - AWS > API Gateway > Domain Name V2 > Set Tags - AWS > API Gateway > Domain Name V2 > Skip alarm for Active control - AWS > API Gateway > Domain Name V2 > Skip alarm for Active control [90 days] - AWS > API Gateway > Domain Name V2 > Skip alarm for Approved control - AWS > API Gateway > Domain Name V2 > Skip alarm for Approved control [90 days] - AWS > API Gateway > Domain Name V2 > Skip alarm for Tags control - AWS > API Gateway > Domain Name V2 > Skip alarm for Tags control [90 days] - AWS > API Gateway > Integration V2 > Delete from AWS - AWS > API Gateway > Integration V2 > Skip alarm for Active control - AWS > API Gateway > Integration V2 > Skip alarm for Active control [90 days] - AWS > API Gateway > Integration V2 > Skip alarm for Approved control - AWS > API Gateway > Integration V2 > Skip alarm for Approved control [90 days] - AWS > API Gateway > Resource > Delete from AWS - AWS > API Gateway > Resource > Skip alarm for Active control - AWS > API Gateway > Resource > Skip alarm for Active control [90 days] - AWS > API Gateway > Resource > Skip alarm for Approved control - AWS > API Gateway > Resource > Skip alarm for Approved control [90 days] - AWS > API Gateway > Stage > Delete from AWS - AWS > API Gateway > Stage > Set Tags - AWS > API Gateway > Stage > Skip alarm for Active control - AWS > API Gateway > Stage > Skip alarm for Active control [90 days] - AWS > API Gateway > Stage > Skip alarm for Approved control - AWS > API Gateway > Stage > Skip alarm for Approved control [90 days] - AWS > API Gateway > Stage > Skip alarm for Tags control - AWS > API Gateway > Stage > Skip alarm for Tags control [90 days] - AWS > API Gateway > Stage v2 > Delete from AWS - AWS > API Gateway > Stage v2 > Set Tags - AWS > API Gateway > Stage v2 > Skip alarm for Active control - AWS > API Gateway > Stage v2 > Skip alarm for Active control [90 days] - AWS > API Gateway > Stage v2 > Skip alarm for Approved control - AWS > API Gateway > Stage v2 > Skip alarm for Approved control [90 days] - AWS > API Gateway > Stage v2 > Skip alarm for Tags control - AWS > API Gateway > Stage v2 > Skip alarm for Tags control [90 days] - AWS > API Gateway > Usage Plan > Delete from AWS - AWS > API Gateway > Usage Plan > Set Tags - AWS > API Gateway > Usage Plan > Skip alarm for Active control - AWS > API Gateway > Usage Plan > Skip alarm for Active control [90 days] - AWS > API Gateway > Usage Plan > Skip alarm for Approved control - AWS > API Gateway > Usage Plan > Skip alarm for Approved control [90 days] - AWS > API Gateway > Usage Plan > Skip alarm for Tags control - AWS > API Gateway > Usage Plan > Skip alarm for Tags control [90 days]

aws-amplify v5.4.0 - New permissions for Deployment, WebHook and Artifacts; Quick Actions for Amplify Apps; Lambda runtimes now powered by Node 18; and more

Wed, 04 Oct 2023 09:00:00 GMT

_What's new?_ - `AWS/Amplify/Admin` and `AWS/Amplify/Metadata` now also include permissions for Deployment, WebHook and Artifacts. - Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the `Actions` button, which will reveal a dropdown menu with available actions, and select one. See [Quick Actions](https://turbot.com/guardrails/docs/guides/quick-actions) for more information. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Policy Types: - AWS > Amplify > App > Approved > Custom - Action Types: - AWS > Amplify > App > Delete from AWS - AWS > Amplify > App > Set Tags - AWS > Amplify > App > Skip alarm for Active control - AWS > Amplify > App > Skip alarm for Active control [90 days] - AWS > Amplify > App > Skip alarm for Approved control - AWS > Amplify > App > Skip alarm for Approved control [90 days] - AWS > Amplify > App > Skip alarm for Tags control - AWS > Amplify > App > Skip alarm for Tags control [90 days]

aws-acm v5.8.0 - Quick Actions now available for Certificates; Lambda runtimes now powered by Node 18; and more

Wed, 04 Oct 2023 09:00:00 GMT

Turbot Guardrails Enterprise Database (TED) v1.37.0 - Added support for t4g, m7g, m6gd, r7g, r6gd, c6g and c6gd instance types for RDS; and more

Fri, 29 Sep 2023 09:00:00 GMT

_What's new?_ - Added: t4g, m7g, m6gd, r7g, r6gd, c6g and c6gd to instance type parameter for RDS. - Added: new hive parameter group for Postgres 14 and 15.

aws-eks v5.6.0 - Lambda runtimes now powered by Node 18

Fri, 29 Sep 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

aws-route53 v6.5.0 - Added new Resource Type for Route53 Records

Thu, 28 Sep 2023 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > Route 53 > Record - Control Types: - AWS > Route 53 > Record > Active - AWS > Route 53 > Record > Approved - AWS > Route 53 > Record > CMDB - AWS > Route 53 > Record > Discovery - Policy Types: - AWS > Route 53 > Record > Active - AWS > Route 53 > Record > Active > Age - AWS > Route 53 > Record > Active > Budget - AWS > Route 53 > Record > Active > Last Modified - AWS > Route 53 > Record > Approved - AWS > Route 53 > Record > Approved > Budget - AWS > Route 53 > Record > Approved > Custom - AWS > Route 53 > Record > Approved > Usage - AWS > Route 53 > Record > CMDB - Action Types: - AWS > Route 53 > Record > Delete - AWS > Route 53 > Record > Delete from AWS - AWS > Route 53 > Record > Router - AWS > Route 53 > Record > Skip alarm for Active control - AWS > Route 53 > Record > Skip alarm for Active control [90 days] - AWS > Route 53 > Record > Skip alarm for Approved control - AWS > Route 53 > Record > Skip alarm for Approved control [90 days]

aws-organizations v5.2.0 - New Active and Approved controls and policies for Organizational Root and Organizational Account resource types

Tue, 26 Sep 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Control Types: - AWS > Organizations > Organization Root > Active - AWS > Organizations > Organization Root > Approved - AWS > Organizations > Organizational Account > Active - AWS > Organizations > Organizational Account > Approved - Policy Types: - AWS > Organizations > Organization Root > Active - AWS > Organizations > Organization Root > Active > Age - AWS > Organizations > Organization Root > Active > Last Modified - AWS > Organizations > Organization Root > Approved - AWS > Organizations > Organization Root > Approved > Custom - AWS > Organizations > Organization Root > Approved > Usage - AWS > Organizations > Organizational Account > Active - AWS > Organizations > Organizational Account > Active > Age - AWS > Organizations > Organizational Account > Active > Last Modified - AWS > Organizations > Organizational Account > Approved - AWS > Organizations > Organizational Account > Approved > Custom - AWS > Organizations > Organizational Account > Approved > Usage - Action Types: - AWS > Organizations > Organization Root > Skip alarm for Active control - AWS > Organizations > Organization Root > Skip alarm for Active control [90 days] - AWS > Organizations > Organization Root > Skip alarm for Approved control - AWS > Organizations > Organization Root > Skip alarm for Approved control [90 days] - AWS > Organizations > Organizational Account > Skip alarm for Active control - AWS > Organizations > Organizational Account > Skip alarm for Active control [90 days] - AWS > Organizations > Organizational Account > Skip alarm for Approved control - AWS > Organizations > Organizational Account > Skip alarm for Approved control [90 days]

aws-msk v5.4.0 - Added new permissions for Cluster V2, Scram Secrets and Kafka VPC Connections; and more

Tue, 26 Sep 2023 09:00:00 GMT

_What's new?_ - `AWS/MSK/Admin`, `AWS/MSK/Metadata` and `AWS/MSK/Operator` now also include permissions for Cluster V2, Scram Secrets and Kafka VPC Connections. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Resource's metadata will now also include `createdBy` details in Turbot CMDB. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before. - Policy Types: - AWS > MSK > Cluster > Approved > Custom - AWS > MSK > Cluster > Approved > Instance Types - Action Types: - AWS > MSK > Cluster > Delete from AWS - AWS > MSK > Cluster > Set Tags - AWS > MSK > Cluster > Skip alarm for Active control - AWS > MSK > Cluster > Skip alarm for Active control [90 days] - AWS > MSK > Cluster > Skip alarm for Approved control - AWS > MSK > Cluster > Skip alarm for Approved control [90 days] - AWS > MSK > Cluster > Skip alarm for Tags control - AWS > MSK > Cluster > Skip alarm for Tags control [90 days] _Bug fixes_ - Guardrails would sometimes fail to upsert clusters correctly in CMDB. This is now fixed.

aws-elasticache v5.8.0 - You can now configure Backups for your Elasticache Replication Groups

Tue, 26 Sep 2023 09:00:00 GMT

_What's new?_ - Control Types: - AWS > ElastiCache > Replication Group > Backup - Policy Types: - AWS > ElastiCache > Replication Group > Backup - AWS > ElastiCache > Replication Group > Backup > Retention Period - AWS > ElastiCache > Replication Group > Backup > Window - Action Types: - AWS > ElastiCache > Cache Cluster > Skip alarm for approved control - AWS > ElastiCache > Cache Cluster > Skip alarm for approved control [90 days] - AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control - AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control [90 days] - AWS > ElastiCache > Replication Group > Skip alarm for approved control - AWS > ElastiCache > Replication Group > Skip alarm for approved control [90 days] - AWS > ElastiCache > Replication Group > Update Backup - AWS > ElastiCache > Snapshot > Skip alarm for approved control - AWS > ElastiCache > Snapshot > Skip alarm for approved control [90 days]

aws v5.28.0 - Added support for Global Event Handlers

Fri, 22 Sep 2023 09:00:00 GMT

_What's new?_ - Added support for Global Event Handlers. This release contains new Guardrails policies and controls to support deployment of Global Event Handlers for AWS. - Control Types: - AWS > Turbot > Event Handlers [Global] - Policy Types: - AWS > Turbot > Event Handlers [Global] - AWS > Turbot > Event Handlers [Global] > Events - AWS > Turbot > Event Handlers [Global] > Events > Rules - AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix - AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags - AWS > Turbot > Event Handlers [Global] > Events > Target - AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN - AWS > Turbot > Event Handlers [Global] > Primary Region - AWS > Turbot > Event Handlers [Global] > SNS - AWS > Turbot > Event Handlers [Global] > SNS > Topic - AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key - AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix - AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags - AWS > Turbot > Event Handlers [Global] > Source - AWS > Turbot > Event Handlers [Global] > Terraform Version - AWS > Turbot > Service Roles > Event Handlers [Global] - AWS > Turbot > Service Roles > Event Handlers [Global] > Name

aws-rds v5.25.0 - New Performance Insights permissions

Thu, 21 Sep 2023 09:00:00 GMT

_What's new?_ - `AWS/RDS/Admin`, `AWS/RDS/Metadata` and `AWS/RDS/Operator` now include permissions for Performance Insights. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

gcp v5.22.0 - Added support for newly supported multi-regions in GCP

Wed, 20 Sep 2023 09:00:00 GMT

_What's new?_ - Added support for new multi-regions `NAM8`, `NAM9`, `NAM10`, `NAM11`, `NAM12`, `NAM13`, `NAM14`, `NAM15`, `NAM-EUR-ASIA1`, `NAM-EUR-ASIA3`, `IN`, `EUR5`, `EUR6`, `EUROPE` and `EMEA` in the `GCP > Project > Regions` policy. - Policy Types Removed: - GCP > Project > Multi-Regions [Deprecated]

aws-vpc-security v5.9.3 - Fixed issues for Security Group CMDB control on TE v 5.42.1 or lower

Mon, 18 Sep 2023 09:00:00 GMT

_Bug fixes_ - The `AWS > VPC > Security Group > CMDB` control would sometimes go into an error state if the TE version installed on the workspace was 5.42.1 or lower. This is fixed and the control will now work as expected.

Turbot Guardrails Enterprise Database (TED) v1.36.0 - Added support for m7g instance types for Elasticache; and more

Fri, 15 Sep 2023 09:00:00 GMT

_What's new?_ - Added: m7g instance types for Elasticache. _Bug fixes_ - User group name for hive names with _ in it. - Hive manager code to add access grant to public schema for postgres 15. _Requirements_ - TEF: 1.52.0

gcp v5.21.0 - Added support for new `europe-west10` region

Fri, 15 Sep 2023 09:00:00 GMT

_What's new?_ - Added support for new `europe-west10` region in the `GCP > Project > Regions` policy. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

gcp-computeengine v5.16.0 - Added support for newly supported regions in GCP Compute Engine Service, and fixed a bug to upsert data disks correctly in Guardrails

Fri, 15 Sep 2023 09:00:00 GMT

_What's new?_ - Added support for new `asia-northeast3`, `asia-south2`, `asia-southeast2`, `australia-southeast2`, `europe-central2`, `europe-southwest1`, `europe-west10`, `europe-west12`, `europe-west8`, `europe-west9`, `me-central1`, `me-west1`, `northamerica-northeast2`, `southamerica-west1`, `us-east5`, `us-south1`, `us-west3` and `us-west4` regions in the `GCP > Compute Engine > Regions` policy. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before. _Bug fixes_ - The real-time Event Handlers would sometimes fail to upsert data disks attached to instances in Guardrails CMDB. This is now fixed.

aws-vpc-security v5.9.2 - Fixed issues for Security Groups and Security Group Rules created/claimed via Guardrails stacks

Fri, 15 Sep 2023 09:00:00 GMT

_Bug fixes_ - Guardrails stack controls would fail to claim any existing Security Group if the Security Group was available in Guardrails CMDB and the stack's Source policy included the Terraform plan for the Security Group. This is fixed and stack control will now be able to claim existing Security Groups correctly. Please note that this fix will only work for workspaces on TE v5.42.2 or higher. - Guardrails stack controls would sometimes fail to update Security Groups and Security Group Rules if the Terraform plan in the stack's source policy included changes to attributes which force replaced the resource. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.2 or higher.

aws-ec2 v5.35.0 - Fixed Schedule control behavior to not start/stop an instance if it were stopped/started manually outside of the control

Fri, 15 Sep 2023 09:00:00 GMT

_What's new?_ - Policy Types: - AWS > EC2 > Instance > Schedule Tag > Name _Bug fixes_ - After starting/stopping an instance successfully, the `AWS > EC2 > Instance > Schedule` control would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.

Turbot Guardrails Enterprise Foundation (TEF) v1.52.0 - Hive manager now includes access grant for public schema for Postgres 15

Thu, 14 Sep 2023 09:00:00 GMT

_What's new?_ - Updated: Hive manager code to include access grant for public schema for postgres 15.

Turbot Guardrails Enterprise (TE) v5.42.2 - Bugs Squashed - Create workspaces on fresh PostgreSQL 15 installations, removed support for vm2 node package; and more

Thu, 14 Sep 2023 09:00:00 GMT

_What's new?_ - Server: - Updated: Now supports creating multiple AKAs starting with arn, azure, and gcp via APIs. - Updated: Add mod version check for workspace upgrade. _Bug fixes_ - Server: - Fixed: Ensure successful workspace creation on fresh PostgreSQL 15 installations. - Fixed: The stack should claim the Security Group (SG) or Security Group Rule (SGR) if the resource already exists. - Removed: vm2 node package.

azure-network v5.15.0 - Added new Resource Types for Express Route Circuits

Thu, 14 Sep 2023 09:00:00 GMT

_What's new?_ - Resource Types: - Azure > Network > Express Route Circuits - Control Types: - Azure > Network > Express Route Circuits > Active - Azure > Network > Express Route Circuits > Approved - Azure > Network > Express Route Circuits > CMDB - Azure > Network > Express Route Circuits > Discovery - Azure > Network > Express Route Circuits > Tags - Policy Types: - Azure > Network > Express Route Circuits > Active - Azure > Network > Express Route Circuits > Active > Age - Azure > Network > Express Route Circuits > Active > Last Modified - Azure > Network > Express Route Circuits > Approved - Azure > Network > Express Route Circuits > Approved > Custom - Azure > Network > Express Route Circuits > Approved > Regions - Azure > Network > Express Route Circuits > Approved > Usage - Azure > Network > Express Route Circuits > CMDB - Azure > Network > Express Route Circuits > Regions - Azure > Network > Express Route Circuits > Tags - Azure > Network > Express Route Circuits > Tags > Template - Action Types: - Azure > Network > Express Route Circuits > Delete - Azure > Network > Express Route Circuits > Router - Azure > Network > Express Route Circuits > Set Tags

aws-iam v5.32.0 - Added support to delete Login Profiles for IAM Users

Mon, 11 Sep 2023 09:00:00 GMT

_What's new?_ Users can now delete Login Profiles for IAM Users. - Control Types: - AWS > IAM > User > Login Profile - Policy Types: - AWS > IAM > User > Login Profile - Action Types: - AWS > IAM > User > Delete Login Profile

azure-network v5.14.0 - Added new Resource Types for Private DNS Zones and Private Endpoints

Wed, 06 Sep 2023 09:00:00 GMT

_What's new?_ - Resource Types: - Azure > Network > Private DNS Zones - Azure > Network > Private Endpoints - Control Types: - Azure > Network > Private DNS Zones > Active - Azure > Network > Private DNS Zones > Approved - Azure > Network > Private DNS Zones > CMDB - Azure > Network > Private DNS Zones > Discovery - Azure > Network > Private DNS Zones > Tags - Azure > Network > Private Endpoints > Active - Azure > Network > Private Endpoints > Approved - Azure > Network > Private Endpoints > CMDB - Azure > Network > Private Endpoints > Discovery - Azure > Network > Private Endpoints > Tags - Policy Types: - Azure > Network > Private DNS Zones > Active - Azure > Network > Private DNS Zones > Active > Age - Azure > Network > Private DNS Zones > Active > Last Modified - Azure > Network > Private DNS Zones > Approved - Azure > Network > Private DNS Zones > Approved > Custom - Azure > Network > Private DNS Zones > Approved > Usage - Azure > Network > Private DNS Zones > CMDB - Azure > Network > Private DNS Zones > Tags - Azure > Network > Private DNS Zones > Tags > Template - Azure > Network > Private Endpoints > Active - Azure > Network > Private Endpoints > Active > Age - Azure > Network > Private Endpoints > Active > Last Modified - Azure > Network > Private Endpoints > Approved - Azure > Network > Private Endpoints > Approved > Custom - Azure > Network > Private Endpoints > Approved > Regions - Azure > Network > Private Endpoints > Approved > Usage - Azure > Network > Private Endpoints > CMDB - Azure > Network > Private Endpoints > Regions - Azure > Network > Private Endpoints > Tags - Azure > Network > Private Endpoints > Tags > Template - Action Types: - Azure > Network > Private DNS Zones > Delete - Azure > Network > Private DNS Zones > Router - Azure > Network > Private DNS Zones > Set Tags - Azure > Network > Private Endpoints > Delete - Azure > Network > Private Endpoints > Router - Azure > Network > Private Endpoints > Set Tags

aws v5.27.2 - Fine-tuned the internals and smoothed out some wrinkles

Wed, 06 Sep 2023 09:00:00 GMT

_Bug fixes_ - A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

aws v5.27.1 - Added support for AWS S3 Multi-Region Access Poin real-time events

Wed, 06 Sep 2023 09:00:00 GMT

_Bug fixes_ - The `AWS > Turbot > Event Handlers` now support real-time events for AWS S3 Multi-Region Access Point.

aws-multiregionaccesspoint v5.0.0 is now available

Wed, 06 Sep 2023 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > S3 > Multi-Region Access Point - Control Types: - AWS > S3 > Multi-Region Access Point > Active - AWS > S3 > Multi-Region Access Point > Approved - AWS > S3 > Multi-Region Access Point > CMDB - AWS > S3 > Multi-Region Access Point > Discovery - AWS > S3 > Multi-Region Access Point > Usage - Policy Types: - AWS > S3 > Multi-Region Access Point > Active - AWS > S3 > Multi-Region Access Point > Active > Age - AWS > S3 > Multi-Region Access Point > Active > Budget - AWS > S3 > Multi-Region Access Point > Active > Last Modified - AWS > S3 > Multi-Region Access Point > Approved - AWS > S3 > Multi-Region Access Point > Approved > Budget - AWS > S3 > Multi-Region Access Point > Approved > Custom - AWS > S3 > Multi-Region Access Point > Approved > Usage - AWS > S3 > Multi-Region Access Point > CMDB - AWS > S3 > Multi-Region Access Point > Usage - AWS > S3 > Multi-Region Access Point > Usage > Limit - AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3multiregionaccesspoint - Action Types: - AWS > S3 > Multi-Region Access Point > Delete - AWS > S3 > Multi-Region Access Point > Delete from AWS - AWS > S3 > Multi-Region Access Point > Router - AWS > S3 > Multi-Region Access Point > Skip alarm for Active control - AWS > S3 > Multi-Region Access Point > Skip alarm for Active control [90 days] - AWS > S3 > Multi-Region Access Point > Skip alarm for Approved control - AWS > S3 > Multi-Region Access Point > Skip alarm for Approved control [90 days]

aws-s3 v5.22.0 - New Multi Region Access Point Routes permissions

Wed, 06 Sep 2023 09:00:00 GMT

_What's new?_ - `AWS/S3/Admin` and `AWS/S3/Metadata` now include permissions for Multi-Region Access Point Routes.

aws-efs v5.7.0 - Lambda runtimes now powered by Node 18

Fri, 01 Sep 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime for lambda functions in the aws-efs mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

aws-config v5.8.0 - New Approved > Custom policies and Quick Actions for Cofigurations Recorder, Delivery Channel and Rule

Fri, 01 Sep 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime for lambda functions in the aws-config mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before. - Policy Types: - AWS > Config > Configuration Recorder > Approved > Custom - AWS > Config > Delivery Channel > Approved > Custom - AWS > Config > Rule > Approved > Custom - Action Types - AWS > Config > Configuration Recorder > Skip alarm for Active control - AWS > Config > Configuration Recorder > Skip alarm for Active control [90 days] - AWS > Config > Configuration Recorder > Skip alarm for Approved control - AWS > Config > Configuration Recorder > Skip alarm for Approved control [90 days] - AWS > Config > Delivery Channel > Skip alarm for Active control - AWS > Config > Delivery Channel > Skip alarm for Active control [90 days] - AWS > Config > Delivery Channel > Skip alarm for Approved control - AWS > Config > Delivery Channel > Skip alarm for Approved control [90 days] - AWS > Config > Rule > Skip alarm for Active control - AWS > Config > Rule > Skip alarm for Active control [90 days] - AWS > Config > Rule > Skip alarm for Approved control - AWS > Config > Rule > Skip alarm for Approved control [90 days]

aws-cloudtrail v5.10.0 - Lambda runtimes now powered by Node 18

Thu, 31 Aug 2023 09:00:00 GMT

_What's new?_ - We've updated the runtime for lambda functions in the [aws-cloudtrail](https://turbot.com/guardrails/docs/mods/aws/aws-cloudtrail#5100-2023-08-31) mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

aws-elasticinference v5.0.0 is now available

Fri, 25 Aug 2023 09:00:00 GMT

_What's new?_ - Resource Types: - AWS > Elastic Inference - Policy Types: - AWS > Elastic Inference > API Enabled - AWS > Elastic Inference > Approved Regions [Default] - AWS > Elastic Inference > Enabled - AWS > Elastic Inference > Permissions - AWS > Elastic Inference > Permissions > Levels - AWS > Elastic Inference > Permissions > Levels > Modifiers - AWS > Elastic Inference > Permissions > Lockdown - AWS > Elastic Inference > Permissions > Lockdown > API Boundary - AWS > Elastic Inference > Regions - AWS > Elastic Inference > Tags Template [Default] - AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-elasticinference - AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-elasticinference - AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-elasticinference - AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-elasticinference

Turbot Guardrails Enterprise (TE) v5.42.1 - Replaced vm2 with eval for inline and trustedInline execution of policies, controls, and actions; and more

Thu, 24 Aug 2023 09:00:00 GMT

_What's new?_ - Server: - Cloudwatch dashboard query for View AWS External Messages by AWS Account ID and Events to exclude restriction on AWS. - Allow sending notifications for same state change. - Replaced vm2 with eval for inline and trustedInline execution of policies, controls, and actions.

gcp-oauth v5.1.0 - New oauthconfig:* permissions

Thu, 24 Aug 2023 09:00:00 GMT

_What's new?_ - `GCP/OAuth/Admin` and `GCP/OAuth/Metadata` now also include `oauthconfig:*` permissions. Click [here](https://turbot.com/guardrails/docs/mods/gcp/gcp-oauth#510-2023-08-24) for more details.

Turbot Guardrails Enterprise Foundation (TEF) v1.51.0 - Restrict untrusted code upload to Guardrails

Mon, 14 Aug 2023 09:00:00 GMT

_What's new?_ - Added: Parameter for restricting untrusted code upload to Turbot Guardrails. - Removed: Alb Waf support.

Turbot Guardrails Enterprise (TE) v5.42.0 - Revamping Workflow - Introducing Workers, SQS and SNS for Stack Efficiency

Mon, 14 Aug 2023 09:00:00 GMT

_What's new?_ - Server: - Added: worker, sqs queue, sns topic for factory. - Updated: Allow upload of mod based on the value of TURBOT_CUSTOM_MOD_UPLOAD. - Added: Environment variable for custom mod upload. - Removed: Support for ALB WAF. _Bug fixes_ - Server: - Stack will not fail to delete and recreate resources. _Requirements_ - TEF: 1.51.0

Turbot Guardrails Enterprise Database (TED) v1.35.0 - Added support for multiple Postgres versions

Thu, 10 Aug 2023 09:00:00 GMT

_What's new?_ - Added: Postgres version 11.19, 11.20, 12.14, 12.15, 13.10, 13.11, 14.8, 15.2 and 15.3.

Turbot Guardrails Enterprise (TE) v5.41.1 - Bugs Squashed - Attach/Detach Actor Info & Redis Dependent Notifications Fix; and more

Wed, 02 Aug 2023 09:00:00 GMT

_What's new?_ - UI - Added: Inactive Users report. _Bug fixes_ - Server: - The actor information for attach and detach smart folder. - Disable notification feature if Redis is not being used.

Turbot Guardrails Enterprise Foundation (TEF) v1.50.0 - Added support for Factory worker

Thu, 27 Jul 2023 09:00:00 GMT

_What's new?_ - Added: Support for Factory worker. - Updated: Descriptions and names to Turbot Guardrails Enterprise Foundation from Turbot Enterprise Foundation.

Turbot Guardrails Enterprise Database (TED) v1.34.0

Thu, 27 Jul 2023 09:00:00 GMT

_What's new?_ - Updated: descriptions and names from Turbot Enterprise Database to Turbot Guardrails Enterprise Database.

Turbot Guardrails Enterprise (TE) v5.41.0 - Notifying Made Easy - Control/Action Updates via Slack, Teams, and Email

Thu, 27 Jul 2023 09:00:00 GMT

_What's new?_ - Server: - Added: Added support for control/action update notifications. - Added: Support for interface in control types. - Added: Turbot Installation Type environment variable. - Added: SES SendEmail permission to Worker Lambda Role. - Added: Add notification index to improve performance of notifications. - Updated: Improve policy value create/update with a more efficient database design. - Updated: Description of TE stack from Turbot Enterprise to Turbot Guardrails Enterprise. - Updated: @slack/web-api to 6.8.1. @wry/equality to 0.5.6. anymatch to 3.1.3. archiver to 5.3.1. body-parser to 1.20.2. chai to 4.3.7. chokidar to 3.5.3. classnames to 2.3.2. cli-progress to 3.12.0. copy-to-clipboard to 3.3.3. dataloader to 2.2.2. diff to 5.1.0. express to 4.18.2. generate-password to 1.7.0. graphql-2-json-schema to 0.10.0. http-status-codes to 2.2.0. lodash-match-pattern to 2.3.1. micromatch to 4.0.5. mockserver-client to 5.15.0. moment-timezone to 0.5.43. nconf to 0.12.0. nodemailer to 6.9.2. nunjucks to 3.2.4. passport to 0.6.0. pg to 8.10.0. performant-array-to-tree to 1.11.0. prismjs to 1.29.0. prompt to 1.3.0. prompts to 2.4.2. recursive-readdir to 2.2.3. redux to 4.2.1. resolve to 1.22.2. semver to 7.5.1. simple-git to 3.18.0. unzipper to 0.10.14. uri-js to 4.4.1. vm2 to 3.9.19 and other dev dependencies. Removed aws-appsync and aws-xray-sdk. ioredis to 5.3.1. - UI - Updated: Updated new login logo and home page logo. - Updated: Turbot directory should be created in guardrails.turbot.com. - Updated: Turbot directory SSO login should be redirected to there respective guardrails domain. _Note_ IAM change in this release: - Updated worker lambda to include SES SendEmail permissions.

Turbot Guardrails CLI v1.29.0

Thu, 27 Jul 2023 09:00:00 GMT

_What's new?_ - Rebrand to Turbot Guardrails CLI. We recommend using the new guardrails registries `guardrails.turbot.com`, `guardrails.turbot-stg.com` or `guardrails.turbot-dev.com` to publish a guardrails mod. To maintain compatibility, none of the existing commands have changed, your existing configuration and commands will continue to work as before.

turbot v5.45.0 - Added Policy to set process retention in cache

Sat, 22 Jul 2023 09:00:00 GMT

_What's new?_ - Policy Types: - Turbot > Workspace > Retention > Process Cache Retention. - Resource Types: - `Smart Folders` are now called `Policy Packs`. _Requirements_ - TE: 5.35.4

Terraform Provider v1.10.0 is now available

Fri, 07 Jul 2023 09:00:00 GMT

v1.10.0 of the [Terraform Provider for Guardrails](https://registry.terraform.io/providers/turbot/turbot/1.10.0) is now available. _Documentation_ Rebrand to Turbot Guardrails provider. Resource and data source names in this provider have not changed to maintain compatibility. Existing templates will continue to work as-is without need to change anything.

Turbot Guardrails Enterprise (TE) v5.40.11

Wed, 05 Jul 2023 09:00:00 GMT

_What's new?_ - Fixed: Resource details are now correctly included when doing a csv download of the `Resources Deleted by Turbot` report. _Requires_ - [TEF v1.49.0](https://turbot.com/v5/docs/releases/tef#v1490-2023-03-30) _Container Info_ - Ubuntu: [`22.04`, `jammy-20230425`](https://hub.docker.com/layers/library/ubuntu/22.04/images/sha256-ca5534a51dd04bbcebe9b23ba05f389466cf0c190f1f8f182d7eea92a9671d00) - Alpine: [`3.17.3`](https://hub.docker.com/layers/library/alpine/3.17.3/images/sha256-b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d)

turbot v5.44.1 - Improved pattern validation for Slack webhook URL in Rule-Based Routing policy for notifications

Sat, 24 Jun 2023 09:00:00 GMT

_Bug fixes_ - Policy Types: - Improved pattern validation for `slackWebhookUrl` in `Turbot > Notifications > Rule-Based Routing` policy. _Requirements_ - TE: 5.35.4

Turbot Guardrails Enterprise (TE) v5.40.8

Fri, 23 Jun 2023 09:00:00 GMT

_What's new?_ - Added: Tagging details now included in CSV download for GCP Compute Engine VM Instances, Azure Compute Virtual Machines, Azure Compute Disks and EBS Volumes report. - Added: New filters for Turbot Files and Smart Folders in the resource browser. - Updated: Editing a Turbot File via the UI no longer requires the resource AKA to be specified. - Fixed: Resource deletion will no longer trigger an increase the count of active controls. _Requires_ - TEF v1.49.0 _Container Info_ - Ubuntu: [`22.04`, `jammy-20230425`](https://hub.docker.com/layers/library/ubuntu/22.04/images/sha256-ca5534a51dd04bbcebe9b23ba05f389466cf0c190f1f8f182d7eea92a9671d00) - Alpine: [`3.17.3`](https://hub.docker.com/layers/library/alpine/3.17.3/images/sha256-b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d)

Turbot Guardrails Enterprise (TE) v5.40.10

Fri, 23 Jun 2023 09:00:00 GMT

_What's new?_ - Added: Quick actions are now available for users that only have permission at the account level. - Fixed: The resource import page will now function correctly if the AWS mod is not installed. - Fixed: Resource deletion will no longer trigger an increase the count of active controls. _Requires_ - TEF v1.49.0 _Container Info_ - Ubuntu: [`22.04`, `jammy-20230425`](https://hub.docker.com/layers/library/ubuntu/22.04/images/sha256-ca5534a51dd04bbcebe9b23ba05f389466cf0c190f1f8f182d7eea92a9671d00) - Alpine: [`3.17.3`](https://hub.docker.com/layers/library/alpine/3.17.3/images/sha256-b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d)

Turbot Guardrails Enterprise Database (TED) v1.33.0

Fri, 16 Jun 2023 09:00:00 GMT

_What's new?_ - Added: Postgres version 14.6 and 14.7.

turbot v5.44.0 - Added Policy to store and manage outbound CIDR ranges for Lambda functions, ensuring secure connectivity with external applications

Sat, 10 Jun 2023 09:00:00 GMT

_What's new?_ - Policy Types: - Turbot > Workspace > Outbound CIDR Ranges _Requirements_ - TE: 5.35.4

Turbot Guardrails Enterprise (TE) v5.40.7

Mon, 15 May 2023 09:00:00 GMT

_What's new?_ - Added: Ability to specify AKA when creating Turbot File. - Updated: Turbot explorer search will show results for Smart Folders and Turbot Files. - Fixed: Terraform stack control should not end in error if the data size for command is too large. - Fixed: Turbot actions will now be visible for users with grants at the cloud account level. _Enterprise_ - Updated: Added debug statements for createGrant mutations. _Requires_ - TEF v1.49.0 _Container Info_ - Ubuntu: [`22.04`, `jammy-20230425`](https://hub.docker.com/layers/library/ubuntu/22.04/images/sha256-ca5534a51dd04bbcebe9b23ba05f389466cf0c190f1f8f182d7eea92a9671d00) - Alpine: [`3.17.3`](https://hub.docker.com/layers/library/alpine/3.17.3/images/sha256-b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d)

Turbot Guardrails Enterprise (TE) v5.40.6

Mon, 15 May 2023 09:00:00 GMT

_Enterprise_ - Changed: Removed long debug statements from stack controls to improve performance of large stacks. - Added: Additional logging information emmited while preparing stack container. _Requires_ - TEF v1.49.0 _Container Info_ - Ubuntu: [`22.04`, `jammy-20230425`](https://hub.docker.com/layers/library/ubuntu/22.04/images/sha256-ca5534a51dd04bbcebe9b23ba05f389466cf0c190f1f8f182d7eea92a9671d00?context=explore) - Alpine: [`3.17.3`](https://hub.docker.com/layers/library/alpine/3.17.3/images/sha256-b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d?context=explore)

Turbot Guardrails Enterprise (TE) v5.40.5

Tue, 09 May 2023 09:00:00 GMT

_What's new?_ - Fixed: Smart retention controls are now a bit smarter. _Enterprise_ - Updated: Resource policy of Events SQS queues now require encryption in transit. - Updated: Resource policy of Events SNS topics now require encryption in transit. _Requires_ - TEF v1.49.0 _Container Info_ - Ubuntu `22.04`, `jammy-20230425` - Alpine: `3.18.0` -

Turbot Guardrails Enterprise (TE) v5.40.4

Thu, 04 May 2023 09:00:00 GMT

_What's new?_ - Added: debug statement for Smart Retention control. _Requires_ - TEF v1.49.0

Turbot Guardrails Enterprise (TE) v5.40.3

Thu, 13 Apr 2023 09:00:00 GMT

# Server _What's new?_ - Added support for version `v5.10.0` of the Turbot IAM mod. - Fixed: Adding grants to group profile now works as expected. _Requires_ - TEF v1.49.0

Turbot Guardrails Enterprise Foundation (TEF) v1.49.0

Thu, 30 Mar 2023 09:00:00 GMT

_What's new?_ - Added: New parameter that allows selection of the TLS policy for application load balancers.

Turbot Guardrails Enterprise Database (TED) v1.32.0

Thu, 30 Mar 2023 09:00:00 GMT

_What's new?_ - Added: Parameter to manage KMS Key for RDS Performance Insights.

Turbot Guardrails Enterprise (TE) v5.40.2

Thu, 30 Mar 2023 09:00:00 GMT

_What's new?_ - Updated: Accounts Summary Report now includes resource AKA(s) in the CSV output. - Updated: The Turbot auth token cookie `SameSite` configuration to `strict`. - Updated: The policy setting page to now render HTML content as string. _Enterprise_ - Added: Parameter for TLS Policy for ALB HTTPS Listener. - Added: Rate limits to the login directories APIs. _Requires_ - TEF v1.49.0

Turbot Guardrails Enterprise Database (TED) v1.31.0

Wed, 22 Mar 2023 09:00:00 GMT

Turbot Guardrails Enterprise (TE) v5.40.1

Wed, 22 Mar 2023 09:00:00 GMT

_What's new?_ - Added: AWS Lambda Functions report. - Updated: Turbot will now use AWS Terraform provider version `3.75.0` when `Turbot > Stack Terraform Version [Default]` is set to `0.15.*` _Bug fixes_ - Fixed: Timestamp display in the console now updates correctly for recently deleted mods. - Fixed: When an `Action` fails due to cloud provider throttling, Turbot will now reschedule the control that triggered the action, those actions should now be more consistently applied under heavy loads. _Note_ AWS IAM permissions change in this release: - Updated: Worker Lambda to include Elasticache permissions to support the `Turbot > Cache > Health Check` control. - Updated: Hive Manager no longer manages the authentication configuration for ElastiCache. This responsibility has shifted to Turbot Guardrails Enterprise Database. -

Turbot Guardrails Enterprise Foundation (TEF) v1.48.0

Tue, 21 Mar 2023 09:00:00 GMT

_What's new?_ - Added: Parameter to modify Lambda trigger concurrency.

turbot v5.43.0 - Unused `Turbot > Type Installed > Background Tasks` is now removed

Sun, 05 Mar 2023 09:00:00 GMT

_What's new?_ - Control Types: - Unused `Turbot > Type Installed > Background Tasks` is now removed _Requirements_ - TE: 5.35.4

Turbot Guardrails Enterprise Foundation (TEF) v1.47.0

Wed, 01 Mar 2023 09:00:00 GMT

_What's new?_ - Added: New parameter for attaching a custom security group to each ECS host. - Added: New parameter for attaching a custom security group to the TE ALB. Requires TE > `v5.40.0`. - Added: Option added to enable IMDSv2 for ECS hosts. - Added: New parameters to specify the size and type of EBS volumes attached to ECS Hosts. - Added: New parameter to specify a port for outbound SMTP (if needed). - Updated: The `db_pair` security group now includes Elasticache rules, when Elasticache is enabled. _Deprecation_ - As a result of this change to the `db_pair` security group, the Elasticache `cache_pair` security group is no longer required. It will be removed in a future release.

Turbot Guardrails Enterprise (TE) v5.40.0

Wed, 01 Mar 2023 09:00:00 GMT

_Bug fixes_ - Fixed: Improved handling of HTTP "Too Many Requests" (429) errors. _Enterprise_ - Updated: TE Management Lambdas, and ECS Containers will be deployed with the NodeJS 16.x runtime. This change is independent of Mod Lambda runtime versions. - Added: If specified in TEF, a custom security group may be assigned to the TE ALB. _Requires_ - TEF v1.47.0

Turbot Guardrails Enterprise Foundation (TEF) v1.46.0

Thu, 09 Feb 2023 09:00:00 GMT

_What's new?_ - Added: Parameter to modify Lambda trigger concurrency

Turbot Guardrails Enterprise (TE) v5.39.12

Thu, 09 Feb 2023 09:00:00 GMT

_Enterprise_ - Added: Parameter for Lambda trigger concurrency. _Requires_ TEF: v1.46.0 TED: v1.9.1

Turbot Guardrails Enterprise Foundation (TEF) v1.45.0

Thu, 02 Feb 2023 09:00:00 GMT

_What's new?_ - Added: SSM parameter for events DLQ and worker retry reserved concurrency.

Turbot Guardrails Enterprise (TE) v5.39.11

Thu, 02 Feb 2023 09:00:00 GMT

_Bug fixes_ - Fixed: Issue that could prevent indexes from being recreated after being dropped. - Fixed: Issue with safeGet() function that could prevent reports from rendering in the UI. - Fixed: Ansible task and service now created correctly created for Ansible version `2.10.7`. _Enterprise_ - Added: Support for trigger concurrency in worker and events lamda functions. _Requires_ TEF: v1.45.0 TED: v1.9.1

Turbot Guardrails Enterprise Foundation (TEF) v1.44.0

Thu, 19 Jan 2023 09:00:00 GMT

_What's new?_ - New: Turbot's autoscale group configuration has switched from `launch templates` to `launch configurations`. - Added: Parameter to select Lambda function runtime version. - Added: Encryption in transit policy for SNS topics and SQS queues. - Updated: Changed EBS volume storage type to `gp3`. -

Turbot Guardrails Enterprise (TE) v5.39.10

Tue, 17 Jan 2023 09:00:00 GMT

_What's new?_ - Fixed: Activity page should display `alternatePersona` in the actor field if available. _Bug fixes_ - Fixed: AWS EC2 Instance report now runs more reliably. - Updated: Improved the performance of the Activity page. _Enterprise_ - Added: Encryption in transit policy for SNS topics and SQS queues in the Turbot Master account. - Updated: Removed the deleted control historical records from control_usage table. - Updated: `vm2` package to 3.9.11 in the ECS containers. -

Turbot Guardrails Enterprise (TE) v5.39.9

Mon, 19 Dec 2022 09:00:00 GMT

_What's new?_ - Added: Support to import Azure China Cloud subscriptions. - Added: Support for Azure China Cloud endpoints. _Bug fixes_ - Updated: Increased reliability of policy value application when attaching a smartfolder. _Enterprise_ - Updated: Removed Xray configuration from Postgres pool, as it was not being used. - Updated: vm2 in main package.json updated to 3.9.11. - Updated: Maintenance container base image to node:14-alpine3.17. _Requires_ TEF: v1.42.1 TED: v1.9.1

Turbot Guardrails Enterprise Database (TED) v1.28.0

Fri, 09 Dec 2022 09:00:00 GMT

_What's new?_ - Added: Support for Postgres versions: 13.8, 14.1, 14.2, 14.3, 14.4, 14.5. - Added: Support for Redis 7.0. - Added: Support for RDS gp3 disk types.

Turbot Guardrails CLI v1.28.6

Tue, 29 Nov 2022 09:00:00 GMT

_Bug fixes_ - Add role as a valid level to generate temporary credentials for roles.

Turbot Guardrails Enterprise (TE) v5.39.8

Wed, 23 Nov 2022 09:00:00 GMT

_Bug fixes_ - Updated: Query for resource notifications to improve performance when using the `Activity` sub-tab on the resource page. - Updated: Improved logic used to determine when to run maintenance control for stale policy values. - Updated: Mod install controlls will now use the standard worker queue instead of worker_priority queue to allow other actions to take priority during mod installs. _Enterprise_ - Updated: Updated Ubuntu vm2 package to version 3.9.11. to resolve CVE-2022-36067. - Updated: Message retetion period of events priority queue changed to 96 hours. _Requires_ TEF: v1.42.1 TED: v1.9.1

Turbot Guardrails Enterprise Foundation (TEF) v1.43.0

Wed, 16 Nov 2022 09:00:00 GMT

_What's new?_ - Added: support for TLS 1.2 for API Gateway

Turbot Guardrails Enterprise (TE) v5.39.7

Tue, 08 Nov 2022 09:00:00 GMT

_Bug fixes_ - Added: Btree aka index for akas_history and akas table. The Activity Tab should show improved performance. _Requires_ TEF: v1.42.1 TED: v1.9.1

Turbot Guardrails Enterprise (TE) v5.39.6

Tue, 25 Oct 2022 09:00:00 GMT

_Bug fixes_ - Fixed: Downloading the csv for EC2 > Instance > Report should not fail. _Enterprise_ - Added: ability to run async/callback in control's `inline`. - Added: Ability to move control to priority queue. - Updated: mute noisy log if unable to get process log data from S3. _Requires_ TEF: v1.42.1 TED: v1.9.1

Turbot Guardrails Enterprise Database (TED) v1.27.0

Thu, 06 Oct 2022 09:00:00 GMT

_What's new?_ - Added: Postgres version 13.7 to RDS engine parameter. - Added: Tags to elasticache resources.

Turbot Guardrails Enterprise (TE) v5.39.5

Tue, 06 Sep 2022 09:00:00 GMT

_Bug fixes_ - Updated: Local Profiles and Group Profiles filter now use free text search instead of akas matches. - Updated: Installing a mod using the CLI now runs faster, reducing the likelyhood of a timeout. - Fixed: Quick actions menu will no longer show actions from child resources. _Enterprise_ - Added: Support for workspace URL in Turbot > Workspace > Workspace URL policy. _Requires_ TEF: v1.42.1 TED: v1.9.1

Turbot Guardrails Enterprise Foundation (TEF) v1.42.0

Thu, 25 Aug 2022 09:00:00 GMT

_What's new?_ - Added: SSM parameter for Process Log Fallback Bucket.

Turbot Guardrails Enterprise (TE) v5.39.4

Thu, 25 Aug 2022 09:00:00 GMT

_Bug fixes_ - Fixed: Resolved issue where EC2 instance report would fail to run. - Fixed: Permissions summary report now works for users without permissions at the root level. _Enterprise_ - Added: allow an alternative process log bucket to be provided to read from an older bucket. - Updated: Ansible container base image to Ubuntu 22.10 (Kinetic Kudu) - Updated: Ansible version to 2.10.7 - Updated: Docker base images of API and Factory to ubuntu 22. _Requires_ TEF: v1.42.1 TED: v1.9.1

Turbot Guardrails Enterprise (TE) v5.39.3

Mon, 08 Aug 2022 09:00:00 GMT

_Bug fixes_ - Fixed: Apollo UI behaves properly when setting backoff interval of an action. - Fixed: Actor display information will now fallback to `unidentified` if persona and identity are not available. - Updated: UI will now use the actor information of the process (if supplied) for Policy Setting CRUD operations. - Updated: Action runs now carry the identity of its launcher. This changes the way notifications are presented. Previously notifications from an action showed as `Unidentified`, now they will carry the identity of the launcher, most of the time this will be the Turbot identity unless the action is launched by a user from Turbot UI. _Enterprise_ - Updated: Linux Environment control to support version 3 of SELinux Python bindings

Turbot Guardrails Enterprise (TE) v5.39.2

Wed, 27 Jul 2022 09:00:00 GMT

_Enterprise_ - Updated: Improved Ansible container error handling _UI_ - Added: Mutation resolver for quick action and steampipe query in the developer tab. - Added: Add support to execute quick action via URL.

Turbot Guardrails Enterprise (TE) v5.39.1

Wed, 13 Jul 2022 09:00:00 GMT

_Enterprise_ - Fixed: Control type should only trigger the control if there is a change in graphql/inline/function.

Turbot Guardrails Enterprise (TE) v5.39.0

Tue, 05 Jul 2022 09:00:00 GMT

_What's new?_ - New Feature: Quick Actions - Updated: graphiql to 1.4.5 _Quick Actions_ Quick Actions is a new feature that allows Turbot users to initaite specific (one time) control enforcements on their cloud environment via the Turbot UI. Cloud operations teams can use Quick Actions to remediate cloud configuration issues (e.g. enable encryption on a resource) or snooze Turbot alarms for issues that we want to come back to later. More [details in the documentation](#). Quick actions will be rolling out across all supported cloud services in the coming months (based on your feedback); this initial release covers resources in the following AWS mods: - cloudtrail - ec2 - kms - lambda - rds - s3 - sns - sqs - vpc _Disabling the Quick Actions feature_ - Quick Actions use the permissions granted to the Turbot service user or cross-account role used to import your cloud service account into Turbot. Execution of quick actions will fail if the underlying role prevents those actions from occuring. - The Quick Actions feature is disabled by default, but can easily be enabled via the `Turbot > Quick Actions > Enabled` policy. If you would like to prevent lower level Turbot administrators from enabling Quick Actions for their cloud service accounts, then make sure you set `Turbot > Quick Actions > Enabled` to `Disabled` at the Turbot level using the `Required` option. - The policy `Turbot > Quick Actions > Permission Levels` offers fine-grained control over which Turbot permission levels are required to execute specific quick actions. These permission limits can be set globally and specific exceptions can be managed down to the individual cloud service account level. _Enterprise_ - Split package dependencies between Server and UI so they can use independent versions of GraphQL.

Turbot Guardrails CLI v1.28.5

Thu, 30 Jun 2022 09:00:00 GMT

_Bug fixes_ - CLI failed to download latest mod versions automatically for mods with version < 5.0.0. - `turbot completion` command was displayed twice on running `turbot help`.

Turbot Guardrails CLI v1.28.4

Tue, 07 Jun 2022 09:00:00 GMT

_Bug fixes_ - CLI failed to install dependencies for a mod with more than 26 dependencies.

Turbot Guardrails Enterprise Foundation (TEF) v1.41.0

Mon, 06 Jun 2022 09:00:00 GMT

_What's new?_ - Added: new IAM permissions for Mod Lambda to publish messages to the Priority Events queue. - Added: parameter for Worker Priority and Events Tick Lambda Reserved Concurrency. - Added: EC2 ECS host recycling using parameter. _Bug fixes_ - Fixed: ECS Rolling update. - Fixed: Condition of Foundation Key to prevent its creation if TEFKmsKey parameter value is specified. ### There are IAM changes in this release: - New IAM permissions for Mod Lambda to publish messages to the Priority Events queue. - New IAM roles for ECS Rolling Update.

Turbot Guardrails Enterprise Database (TED) v1.26.0

Wed, 18 May 2022 09:00:00 GMT

_What's new?_ - Updated: GovCloud certificate to rds-ca-rsa4096-g1.

Turbot Guardrails Enterprise Foundation (TEF) v1.40.0

Fri, 29 Apr 2022 09:00:00 GMT

_What's new?_ - Added: Parameter to limit the URL where the API Gateway Lambda can forward to. This should be a regular expression of valid workspace URLs. - Updated: `TEF KMS Key` parameter name changed to `TEF KMS Key Arn`. - Updated: Enforce HTTPS access for S3 buckets created by TEF.

Turbot Guardrails Enterprise Database (TED) v1.25.0

Fri, 29 Apr 2022 09:00:00 GMT

_What's new?_ - Updated: Enforce HTTPS access for S3 buckets created by TED. - Added: Postgres versions 11.12, 11.13, 11.14, 11.15, 12.7, 12.8, 12.9, 12.10, 13.3, 13.4, 13.5 and 13.6.

Turbot Guardrails Enterprise Foundation (TEF) v1.39.1

Fri, 08 Apr 2022 09:00:00 GMT

_What's new?_ - Added: Parameter for Alb WAF option. (Default is disabled) - Added: Parameter for Mods Cleanup.

Turbot Guardrails Enterprise Database (TED) v1.30.0

Tue, 01 Mar 2022 09:00:00 GMT

_What's new?_ - Updated: Moved management of the Elasticache user group to CloudFormation instead of the Hive Manager lambda. It is no longer necessary to update the Redis access control groups after making changes to the Redis cluster. ## 1.30.0 [2022-03-01] _What's new?_ - Updated: Elasticache now uses the `db_pair` security group from TEF 1.47.0. - Fixed: The Cloudformation Hive custom resource used to depend on Elasticache when it shouldn't have in environments without Elasticache deployed. _Deprecation_ - As a result of this change to the `db_pair` security group, the Elasticache `cache_pair` security group is no longer required. It will be removed in a future release. _Requirements_ - TEF v1.47.0

Turbot Guardrails Enterprise Foundation (TEF) v1.38.0

Mon, 28 Feb 2022 09:00:00 GMT

_What's new?_ - Added: Parameters for Api and Events Container Scaling metrics, and threshold values for CPU Utilization. - Added: Parameter to allow import of Foundation KMS Key. - Updated: Set DeletionPolicy of FoundationKey to Retain.

Turbot Guardrails Enterprise Foundation (TEF) v1.37.0

Fri, 11 Feb 2022 09:00:00 GMT

_What's new?_ - Added: Parameters for ECS Factory Task hard limit and soft limit on memory.

Turbot Guardrails Enterprise Foundation (TEF) v1.36.0

Mon, 07 Feb 2022 09:00:00 GMT

_Warning_ - There are IAM changes in this release. _What's new?_ - Updated: Condition for HiveManagerExecutionRole. - Updated: TurbotParameters and TurbotSnsSqsPolicyParameterLambda to include variables for Proxy setting. - Removed: MskManagerExecutionRole role from custom iam role template.

Turbot Guardrails Enterprise Database (TED) v1.24.0

Mon, 07 Feb 2022 09:00:00 GMT

_What's new?_ - Added: Postgres version 13.5 to RDS engine parameter. - Fixed: Replication group setting to enable Data Tiering for r6gd node type.

Turbot Guardrails Enterprise Database (TED) v1.29.0

Wed, 02 Feb 2022 09:00:00 GMT

_What's new?_ - Added: Postgres version 12.11 and 12.12. - Updated: PerformanceInsights description. - Updated: Default storage type to `gp3`. [More info on using gp3](enterprise/FAQ/general-purpose-gp3) - Updated: Hive custom resource depends on to include Elasticache cluster and parameter group and add ParameterDeploymentTrigger.

Turbot Guardrails Enterprise Database (TED) v1.23.0

Tue, 04 Jan 2022 09:00:00 GMT

_What's new?_ - Added: r6gd node type option for Elasticache.

Turbot Guardrails Enterprise Database (TED) v1.22.2

Thu, 25 Nov 2021 09:00:00 GMT

_What's new?_ - Updated: Backup Service Role to include kms Grant permissions for CopyDBSnapshot operation.

Turbot Guardrails Enterprise Database (TED) v1.22.1

Wed, 03 Nov 2021 09:00:00 GMT

_What's new?_ - Updated: Backup Service Role to include kms permissions.

Turbot Guardrails Enterprise Foundation (TEF) v1.35.0

Fri, 22 Oct 2021 09:00:00 GMT

_What's new?_ - Added: VPC Endpoint for s3 to reduce NAT Gateway cost. - Updated: API and Events container scaling by replacing hardcoded values with parameters. - Updated: Outbound, Api and Database security groups so that they are created for Predefined VPC if custom security groups are not mentioned. - Updated: default value of LogRetentionDays parameter changed to 180.

Turbot Guardrails Enterprise Database (TED) v1.22.0

Fri, 22 Oct 2021 09:00:00 GMT

_What's new?_ - Added: Postgres version 13.3, 13.4 to RDS engine parameter. - Fixed: Cloudwatch alarms to use correct db identifier when hive name has \_ in it. - Updated: Default database system backup to 7 days. - Updated: AWS Backup Service role to allow copying of RDS snapshots. - Updated: Cloudwatch alarms for ElastiCache SwapUsage and DatabaseMemoryUsagePercentage for multi-node architectures. - Updated: Dashboard to move read-replica stats to right axis and that of primary to the left. - Updated: Dashboard to add Total IOPS metrics.

Turbot Guardrails Enterprise Foundation (TEF) v1.34.1

Fri, 02 Jul 2021 09:00:00 GMT

_Warning_ - There are IAM changes in this release for the `turbot_policy_parameter`. _Bug fixes_ - TE Build ID was misconfigured causing TEF to build unsuccessfully, this has now been corrected and TEF builds as expected.

Turbot Guardrails Enterprise Database (TED) v1.21.1

Fri, 25 Jun 2021 09:00:00 GMT

_What's new?_ - Minimum DB size is now 50GB, default size is 200GB. _Requirements_ - TEF v1.31.2

Turbot Guardrails Enterprise Foundation (TEF) v1.34.0

Wed, 16 Jun 2021 09:00:00 GMT

_Warning_ - There are IAM changes in this release for the `turbot_policy_parameter`. _What's new?_ - Turbot Security Group is added and includes rules for Ansible and LDAP. The security group is intended for additional rules to be added under feature flags. Note: the existing LDAP and Ansible security groups will remain for older TE versions. - Dashboard for ECS Cluster metrics is now added. - Autoscaling parameters were added for the Events Service. - ElastiCache Security Groups and Subnet Groups are now added to the overrides template. - TEF Workspace Manager now prevents users from changing the workspace name. - OSGuardrail parameter location from Advanced - OS Guardrails to Advanced - Deployment Group. - `turbot_parameters` and `turbot_policy_parameter` lambda functions now include VPC config. - `turbot_policy_parameter` IAM Role now includes EC2 network interfaces policy. - Improved input validation to not allow blank values.

Turbot Guardrails Enterprise Database (TED) v1.21.0

Wed, 16 Jun 2021 09:00:00 GMT

_What's new?_ - CloudWatch Alarms and Dashboards are added for ElastiCache SwapUsage and DatabaseMemoryUsagePercentage. - ElastiCache Instance Type can now be specified in the template. - Read replica parameter default is now set to false. _Requirements_ - TEF v1.31.2

Turbot Guardrails Enterprise Database (TED) v1.20.1

Thu, 06 May 2021 09:00:00 GMT

_What's new?_ - DB parameter group support for 11.10, 11.11, 12.6 and 13.2. - Postgres version 13.2 is now the default selection. _Requirements_ - TEF v1.31.2

Turbot Guardrails Enterprise Database (TED) v1.20.0

Wed, 28 Apr 2021 09:00:00 GMT

_What's new?_ - Shared_buffers parameter added for DB parameter group. - Postgres version 13.1 is now the default selection. - Postgres wal_keep_size default size is now 2048 (RDS Postgres default). - Turbot database default size is now 250GB. - Storage autoscale threshold default is now 1TB. For new TED installations only! _Requirements_ - TEF v1.31.2

Turbot Guardrails CLI v1.28.3

Thu, 15 Apr 2021 09:00:00 GMT

_Bug fixes_ - Invalid module reference fixed - this was causing `turbot template build` to fail.

Turbot Guardrails CLI v1.28.2

Tue, 13 Apr 2021 09:00:00 GMT

_Bug fixes_ - `template build` was loading the lock-file from the base branch to determine the current template version. When using a work-in-progress (wip) branch, this could lead to identifying an incorrect current version, leading to rebasing errors. Fix by loading the lock file from the wip branch.

Turbot Guardrails Enterprise Foundation (TEF) v1.33.0

Fri, 02 Apr 2021 09:00:00 GMT

_What's new?_ - S3 bucket lifecycle rule added to the mods processing log bucket. - Optional AWS Security Group added to be used for connecting to LDAP server. - S3 inventory reports will no longer generate in the TEF Process Logs bucket. - Updated process log bucket lifecycle configurations to remove /debug/ rules. - Runtime has been updated to Node 14 for all Turbot Core deployed Lambda functions.

Turbot Guardrails Enterprise Database (TED) v1.19.0

Fri, 02 Apr 2021 09:00:00 GMT

_What's new?_ - Postgres version 13.1. For new TED installations only! - ElastiCache replication groups now support multi nodes.cluster mode. _Bug fixes_ - Hive Log Bucket lifecycle configurations now delete all objects. _Requirements_ - TEF v1.31.2

Turbot Guardrails Enterprise Database (TED) v1.18.1

Mon, 08 Mar 2021 09:00:00 GMT

_Bug fixes_ - Dependency issue with the HiveKey. _Requirements_ - TEF v1.31.2

Turbot Guardrails Enterprise Foundation (TEF) v1.32.0

Thu, 04 Mar 2021 09:00:00 GMT

_What's new?_ * OSGuardrails feature flag, adding security groups and SSM parameters as required. * HealthCheckProxyLambda runtime updated from 2.7 to 3.8.

Turbot Guardrails Enterprise Database (TED) v1.18.0

Thu, 04 Mar 2021 09:00:00 GMT

_What's new?_ - Postgres version 12.5. **For new TED installations only!** - Parameter Group support for both 11.x and 12.x. _Bug fixes_ - Cache cluster parameter passed to Hive Manager should also convert underscore to hyphen. - Allow default encryption for ElastiCache for use in GovCloud (which does not support CMK). _Requirements_ - TEF v1.31.2

Turbot Guardrails CLI v1.28.1

Thu, 04 Mar 2021 09:00:00 GMT

_Bug fixes_ - Fixed CLI packaging error required for proper v1.28.0 installation.

Turbot Guardrails CLI v1.28.0

Wed, 03 Mar 2021 09:00:00 GMT

_Bug fixes_ - `turbot template build` now cleans up branches after a rebase failure.

Turbot Guardrails Enterprise Foundation (TEF) v1.31.3

Thu, 28 Jan 2021 09:00:00 GMT

_Warning_ * IAM permissions updated in v1.31.0. _Bug fixes_ * Fix and republish a corrupt portfolio build artifact.

Turbot Guardrails Enterprise Database (TED) v1.17.2

Thu, 28 Jan 2021 09:00:00 GMT

_Bug fixes_ - AWS Backup Vault name format issue. _Requirements_ - TEF v1.31.2

Turbot Guardrails Enterprise Foundation (TEF) v1.31.2

Wed, 27 Jan 2021 09:00:00 GMT

_Warning_ * IAM permissions updated in v1.31.0. _Bug fixes_ * Hive Manager should convert underscore to hyphen when creating Redis group (from TE).

Turbot Guardrails Enterprise Foundation (TEF) v1.31.1

Mon, 25 Jan 2021 09:00:00 GMT

_Warning_ * IAM permissions updated in v1.31.0. _Bug fixes_ * Hive Manager should convert underscore to hyphen when creating Redis user (from TE).

Turbot Guardrails Enterprise Database (TED) v1.17.1

Mon, 25 Jan 2021 09:00:00 GMT

_Bug fixes_ - ElastiCache Redis cluster name should convert underscores to hyphens. _Requirements_ - TEF v1.31.2

Turbot Guardrails Enterprise Foundation (TEF) v1.31.0

Fri, 22 Jan 2021 09:00:00 GMT

_Warning_ * IAM permissions updated. _What's new?_ * ElastiCache Redis is now enabled by default. * Parameters - Mod Lambda function limits. * Parameters - Worker Lambda configuration, allowing reuse across TE versions. * CloudWatch Alarms for SQS ApproximateAgeOfOldestMessage.

Turbot Guardrails Enterprise Database (TED) v1.17.0

Fri, 22 Jan 2021 09:00:00 GMT

_What's new?_ - ElastiCache Redis is now enabled by default. _Bug fixes_ - Postgres 11.9 is now available for the read replica as well. - ElastiCache Redis cluster should be created with the hive name rather than just resource name prefix. - AWS Backup Vault deletion policy is now set to retain. _Requirements_ - TEF v1.31.2

Turbot Guardrails CLI v1.27.0

Mon, 07 Dec 2020 09:00:00 GMT

_What's new?_ - `turbot template build --rebase` command now cleans up the work in progress branch if the template render fails. _Bug fixes_ - `turbot template build --rebase` command was failing to re-apply manual changes. - `turbot template build --fleet-mode` would stop building all branches if a single one failed.

Turbot Guardrails Enterprise Foundation (TEF) v1.30.1

Thu, 26 Nov 2020 09:00:00 GMT

_Bug fixes_ - Fixed: Code of s3BucketArnLambda to fix s3 permission.

Turbot Guardrails Enterprise Foundation (TEF) v1.30.0

Fri, 20 Nov 2020 09:00:00 GMT

_What's new?_ * Hive Manager and Workspace Manager runtime updated to node 12. _Bug fixes_ * Install Hive Manager in all regions, not just the Alpha region.

Turbot Guardrails Enterprise Database (TED) v1.15.0

Fri, 20 Nov 2020 09:00:00 GMT

_What's new?_ - Added latest RDS DB instance types. - Experimental ElastiCache: Configure use of Redis 6.x Access Control Lists. - Experimental ElastiCache: Also install Hive Manager in the replica region, for Redis management. _Requirements_ - TEF v1.30.0

Turbot Guardrails Enterprise Foundation (TEF) v1.29.0

Thu, 12 Nov 2020 09:00:00 GMT

_Warning_ * IAM permissions updated. _What's new?_ * New `turbot_transient` KMS key specifically used for encryption of transient data (e.g. SNS, SQS). * Tightened IAM access policies to Turbot's own S3 buckets. * Hive Manager is now permitted IAM access to manage ElastiCache. * Added ListBucket permission to WorkspaceManager role so head object calls will return 404 instead of 403. _Bug fixes_ * Event Proxy Lambda must be installed in the subnet where Load Balancers are installed (by TE).

Turbot Guardrails CLI v1.26.0

Thu, 12 Nov 2020 09:00:00 GMT

_What's new?_ - `turbot compose` (used by all CLI commands that compose mods) now omits the `releaseNotes` field from `turbot.head.json`. It is still included in `turbot.dist.json`. - `turbot template` has a new `--unchanged-issue ` argument. When a template build operation commits changes to git, if no files have actually changed then the commit message will use this issue instead of the normal `--issue ` field. The commit message will also specify "no changes".

Turbot Guardrails CLI v1.25.0

Mon, 02 Nov 2020 09:00:00 GMT

_What's new?_ - `turbot publish` has a new `--timeout ` argument to customize the publish timeout. The default has been increased to 2 minutes. - Use `turbot template build --issue 1234 --close-issue` will set the commit message to close the issue. _Bug fixes_ - `turbot test` should not fail with the the error `TypeError: tmod.parse is not a function`.

Turbot Guardrails Enterprise Foundation (TEF) v1.28.0

Mon, 26 Oct 2020 09:00:00 GMT

_Warning_ * IAM permissions updated. _What's new?_ * Further refined our IAM permissions for S3 bucket access, with a focus on removing more wildcards. It was already good, but now it's better. _Bug fixes_ * Made the ElastiCache network infrastructure optional through `Development Mode`. It was harmless, but not necessary unless ElastiCache is enabled in TED. * Moved policy parameter role into the IAM stacks, where it belongs.

Turbot Guardrails Enterprise Database (TED) v1.14.2

Fri, 23 Oct 2020 09:00:00 GMT

_Bug fixes_ - Databases should never automatically upgrade their minor or major versions. Doing so takes the database out of sync with the CloudFormation stack, leading to upgrade rollbacks. We've deliberately removed these options and set the auto-update to false. _Requirements_ - TEF v1.25.0

Turbot Guardrails CLI v1.24.3

Fri, 23 Oct 2020 09:00:00 GMT

_Bug fixes_ - `turbot template build --patch --push-instance-root` command failed to push changes to the wip branch.

Turbot Guardrails Enterprise Database (TED) v1.14.1

Wed, 21 Oct 2020 09:00:00 GMT

_What's new?_ - Changes to the Turbot audit trail log group in v1.14.0 forced a name change, which is difficult for customers with integrations. This version removes that requirement, so existing installs keep their original log group name. _Bug fixes_ - Required TEF version dropped back down to TEF v1.25.0. v1.27.0 is only required if you are setting up the experimental ElastiCache features. _Requirements_ - TEF v1.25.0

Turbot Guardrails Enterprise Foundation (TEF) v1.27.0

Wed, 14 Oct 2020 09:00:00 GMT

_What's new?_ * Reclaimed the `ECSDesiredInstanceCount` parameter, which now defaults to using `ECSMinInstanceCount` instead. This frees up a precious parameter slot for other options. * Added the `DevelopmentMode` parameter for internal use, which groups options like using the latest container image (instead of cached). * For environments with ElastiCache enabled in TED, cache subnet group and security groups have been added.

Turbot Guardrails Enterprise Database (TED) v1.14.0

Wed, 14 Oct 2020 09:00:00 GMT

_What's new?_ - The deletion policy for the DB Parameter Group is now set to Retain. - New installations will now add the stack ID to the audit trail log group, making it easier to re-install TED multiple times in testing / setup. - New `ExperimentalFeatures` flag, allowing gradual introduction of new capabilities. The first one is installation of ElastiCache preparing for future use in TE. _Requirements_ - TEF v1.27.0

Turbot Guardrails CLI v1.24.2

Wed, 07 Oct 2020 09:00:00 GMT

_Bug fixes_ - `turbot pack` and `turbot publish` were failing to run pre-pack script when `--dir` arg is used.

Turbot Guardrails CLI v1.24.1

Tue, 06 Oct 2020 09:00:00 GMT

_Bug fixes_ - `turbot inspect` should give a clear error message for invalid templates.

Turbot Guardrails CLI v1.24.0

Mon, 05 Oct 2020 09:00:00 GMT

_Bug fixes_ - `turbot inspect --format changelog` should properly escape CSV fields with commas.

Turbot Guardrails Enterprise Foundation (TEF) v1.26.3

Thu, 01 Oct 2020 09:00:00 GMT

_Bug fixes_ * Error handling in workspace pre-install checker.

Turbot Guardrails Enterprise Foundation (TEF) v1.26.2

Thu, 01 Oct 2020 09:00:00 GMT

_Bug fixes_ * Error handling in workspace pre-install checker.

Turbot Guardrails Enterprise Foundation (TEF) v1.26.1

Wed, 30 Sep 2020 09:00:00 GMT

_Bug fixes_ * ECS Agent should attempt to use the locally cached image, which dramatically reduces disk IO and download bandwidth. * Upgrade via CloudFormation had a race condition in our custom resource Lambda functions that could be triggered when doing a large number of upgrades or rollbacks in parallel.

Turbot Guardrails Enterprise Foundation (TEF) v1.26.0

Thu, 24 Sep 2020 09:00:00 GMT

_Bug fixes_ * When a custom outbound access security group is specified in the TEF template do not create the {prefix}\_outbound\_internet\_security\_group or the {prefix}\_{version}\_outbound\_internet\_security\_group.

Turbot Guardrails Enterprise Foundation (TEF) v1.25.0

Tue, 22 Sep 2020 09:00:00 GMT

_What's new?_ * Ability to restrict SNS topic and SQS queue access based on Organization Id.

Turbot Guardrails Enterprise Database (TED) v1.13.0

Tue, 22 Sep 2020 09:00:00 GMT

- Added: support to restrict access to SNS topic and SQS queue based on the Organization Id. _Requirements_ - TEF v1.25.0

Turbot Guardrails Enterprise Database (TED) v1.12.0

Mon, 21 Sep 2020 09:00:00 GMT

_What's new?_ - Added: Encryption to SNS Topic for Dashboard. - Updated: TED Stack - changed R/W IOPS metrics from line to stacked area, changed Transaction ID Wraparound Monitor threshold to 2 billion. - Fixed: Description and Typo (Duraction to Duration, Actiond to Action). _Requirements_ - TEF v1.22.1

Turbot Guardrails CLI v1.23.0

Fri, 18 Sep 2020 09:00:00 GMT

_What's new?_ - `turbot install` - checks if a compatible version of each dependency is already installed. If so, it is does not install from the registry unless there is a newer version available. - `turbot template build --rebase` rebuilds templates while using rebase to better merge and preserve custom changes to the rendered files since the last build.

Turbot Guardrails CLI v1.22.0

Mon, 07 Sep 2020 09:00:00 GMT

_What's new?_ - Show a progress bar during long running operations.

Turbot Guardrails Enterprise Foundation (TEF) v1.24.0

Fri, 21 Aug 2020 09:00:00 GMT

_Warning_ * IAM permissions updated. _Bug fixes_ * The (optional) API Gateway to proxy external events to the internal Turbot load balancer was returning error codes (5xx) all queries even though it worked successfully. This could lead to retries of the message (which were not processed due to our duplicate detection). Errors in both the event handler and the health check have been cleared.

Turbot Guardrails CLI v1.21.0

Thu, 20 Aug 2020 09:00:00 GMT

_What's new?_ - Improved error messages for failed queries like authentication, network connectivity, etc. - Update credentials precedence to prioritise specific credentials (key, secretKey and workspace) over profile. _Bug fixes_ - `turbot configure` fails when no command line credentials arguments are given but they set in environment - `turbot workspace list` should ignore `TURBOT_PROFILE` env var and only filter profiles if one is given in command line. - `turbot download` should fall back to use the production registry if the user is not logged in.

Turbot Guardrails CLI v1.20.1

Fri, 31 Jul 2020 09:00:00 GMT

_Bug fixes_ - Exceptions from the pre-pack script in `turbot pack` were not caught and reported correctly.

Turbot Guardrails CLI v1.20.0

Thu, 30 Jul 2020 09:00:00 GMT

_What's new?_ - Improved error messages for `turbot pack`, `turbot up` and `turbot publish` for faster troubleshooting. _Bug fixes_ - `turbot graphql` queries for `control`, `policy-value`, etc were not properly handling the `--resource-id` and `--resource-aka` arguments.

Turbot Guardrails CLI v1.19.3

Thu, 30 Jul 2020 09:00:00 GMT

_Bug fixes_ - `turbot configure` was failing for some Windows users when used in interactive mode.

Turbot Guardrails Enterprise Foundation (TEF) v1.23.0

Wed, 22 Jul 2020 09:00:00 GMT

_What's new?_ * Updated Workspace Manager permissions for SSM policy lookups and reading S3 data for access to the TE workspace manager Lambda results.

Turbot Guardrails CLI v1.19.2

Mon, 20 Jul 2020 09:00:00 GMT

_Bug fixes_ - `turbot configure` was always failing validation when using interactive mode to enter credentials.

Turbot Guardrails CLI v1.19.1

Mon, 20 Jul 2020 09:00:00 GMT

_Bug fixes_ - `turbot install [mod]` was not working. You can now install specific mods as expected.

Turbot Guardrails CLI v1.19.0

Thu, 16 Jul 2020 09:00:00 GMT

_What's new?_ - Use `turbot install [mod[@version]]` to install a specific mod as a local dependency. - Credentials passed to `turbot workspace configure` are now validated before saving, so you can be confident they are good to go.

Turbot Guardrails CLI v1.18.1

Fri, 10 Jul 2020 09:00:00 GMT

_What's new?_ - Use `turbot workspace list` to see a list of your currently configured workspaces. - `turbot workspace configure` added, with the same behavior as `turbot configure`. _Bug fixes_ - `turbot test` was failing for some GCP controls due to an update in the GCP auth library package. This has been fixed.

Turbot Guardrails CLI v1.18.0

Fri, 10 Jul 2020 09:00:00 GMT

_See v1.18.1_

Turbot Guardrails Enterprise Foundation (TEF) v1.22.1

Tue, 07 Jul 2020 09:00:00 GMT

_Bug fixes_ * As part of preparing for connection pooling, the hive manager included steps to initialize multiple database roles. These are not yet in use so have been removed.

Turbot Guardrails Enterprise Database (TED) v1.11.0

Tue, 07 Jul 2020 09:00:00 GMT

_What's new?_ - As part of preparing for connection pooling, the hive manager included steps to initialize multiple database roles. These are not yet in use so have been removed. _Requirements_ - TEF v1.22.1

Turbot Guardrails Enterprise Foundation (TEF) v1.22.0

Mon, 06 Jul 2020 09:00:00 GMT

_What's new?_ * The default browser facing security group (used by the load balancer) is now open on port 80, so HTTP traffic can be automatically redirected to HTTPS at the load balancer level. * Expanded EC2 instance type options, and changed the default to `t3.medium`. * Changed the default maximum limit for ECS hosts from 64 to a more sensible, but still generous, 8. * Further restricted permissions to EC2 hosts, limiting the accessible resources as much as possible.

Turbot Guardrails Enterprise Foundation (TEF) v1.21.0

Fri, 19 Jun 2020 09:00:00 GMT

_What's new?_ * Introducing a new parameter model in TEF, allowing parameter "overrides" to be optionally set in SSM. Turbot creates default parameters, but will automatically detect any overrides you create during the stack run. This allows us to expand beyond the 60 parameter limit of CloudFormation. * Each Turbot version installs minimal IAM policies and roles specific to its requirements. Some customers prefer more control over IAM management, so we now support BYO-IAM with parameters for all IAM entities required in the Turbot primary account. * Added parameters to optionally set the `ALB Log Prefix` and `ALB Idle Timeout`. * TEF will now perform a rolling update of the EC2 hosts if required due to launch configuration changes, ensuring no downtime during upgrades. * Allow preinstall check Lambda function to use VPC from non-VPC setting.

Turbot Guardrails Enterprise Database (TED) v1.10.0

Fri, 19 Jun 2020 09:00:00 GMT

_What's new?_ - Parameter groups created in GovCloud do not support newer parameters, unless a new parameter group is created (Note: AWS Commerical accounts were not affected by this). This blocks some existing customers from upgrading their TED stack. Because parameter group changes require a reboot (downtime), and most customers do not require this change, we've made it an optional parameter in the stack to force the change as required. - Default storage allocation for new installs is now 1TB (up from 100GB). _Requirements_ - TEF v1.19.1

Turbot Guardrails Enterprise Foundation (TEF) v1.20.0

Fri, 29 May 2020 09:00:00 GMT

_What's new?_ * Added `169.254.170.2` to the default `NO_PROXY` parameter. This is required for stack containers to execute in some proxy environments.

Turbot Guardrails CLI v1.17.3

Thu, 21 May 2020 09:00:00 GMT

_Bug fixes_ - `turbot install` was attempting to install the latest version, which would fail if that version was not available or recommended. It will now install the latest recommended version, or if none are recommended, the latest available version.

Turbot Guardrails Enterprise Foundation (TEF) v1.19.1

Wed, 20 May 2020 09:00:00 GMT

_Bug fixes_ * Network Interface permissions added in v1.19.0 are low risk, but have been tightened further to only be granted in environments running Lambda inside the VPC.

Turbot Guardrails Enterprise Database (TED) v1.9.1

Tue, 19 May 2020 09:00:00 GMT

_Bug fixes_ - v1.9.0 introduced a mix of names between `preinstall` and `preinstallation` which felt messy. This patch release brought to you by our clean up crew. _Requirements_ - TEF v1.19.1

Turbot Guardrails Enterprise Foundation (TEF) v1.19.0

Mon, 18 May 2020 09:00:00 GMT

_What's new?_ * TED and TE are being enhanced to automatically check that their required versions of TEF and TED are installed. The Lambda function they use for that check (custom resource during the CloudFormation stack run) is deployed in TEF, and added in this release. * Turbot Guardrails Enterprise uses a lot of Lambda functions to execute mod code. For organizations who prefer more visibility into network traffic, we're adding support to run these functions inside the VPC. This version of TEF expands the IAM permissions granted to Lambda functions with the minimum required to attach Network Interface cards.

Turbot Guardrails Enterprise Database (TED) v1.9.0

Mon, 18 May 2020 09:00:00 GMT

_What's new?_ - TED now automatically checks the required TEF version is installed. If not, the TED stack will automatically rollback allowing you to upgrade TEF first. _Requirements_ - TEF v1.19.1

Turbot Guardrails Enterprise Foundation (TEF) v1.18.1

Thu, 14 May 2020 09:00:00 GMT

_What's new?_ * `Flags` parameter now has validation rules and defaults to `NONE` (CloudFormation does not like empty string defaults for SSM parameters).

Turbot Guardrails Enterprise Foundation (TEF) v1.18.0

Thu, 14 May 2020 09:00:00 GMT

_What's new?_ * `Flags` parameter will allow features to be enabled or disabled at the installation level giving us more flexibility to innovate and gradually deploy features.

Turbot Guardrails Enterprise Database (TED) v1.8.0

Thu, 14 May 2020 09:00:00 GMT

_Warning_ - The default for `TrackFunctions` in v1.7.0 was `pl`. Consider changing this to `none` (the new, more common, default in v1.8.0) if you don't require that tracking. _What's new?_ - Process log data collected by Turbot is being moved into TED level management. This better aligns with our model of data separation and encryption. This version adds S3 buckets with encryption and lifecycle rules to start accepting that (and other future) data. - If the master password is an empty string then Turbot will reset it automatically when required. The default was previously blank, requiring the parameter to be set (even if to empty string). This was difficult to understand and implement for those automating TED configuration. We now default to the empty string. - Added new DB instance size option of `m5.8xlarge`. _Bug fixes_ - Resource names related to metric collection, alarms and dashboards have been updated to use the ResourceName prefix. This aligns them with all other TED resources and makes it easier to track or target them with local rules.

Turbot Guardrails Enterprise Foundation (TEF) v1.17.0

Tue, 12 May 2020 09:00:00 GMT

_What's new?_ * Moved to ECS optimized Amazon Linux 2 as our host OS for containers. (Previously we used ECS optimized Amazon Linux 1.) * Expanded proxy server support, particularly through the ECS bootstrap sequence. We now support HTTP and HTTPS requests being routed to a `http://` proxy for all traffic - no need for endpoints or similar in any case. (We do not yet support custom certificates and `https://` proxies.) * TEF now publishes an SSM parameter with the currently installed version, which will be used in the future to check version compatibility during TED and TE upgrades.

Turbot Guardrails CLI v1.17.2

Mon, 11 May 2020 09:00:00 GMT

_Bug fixes_ - The build of v1.17.1 was not properly published, leading to confusion and mixed installs. This release is identical, but properly distributed.

Turbot Guardrails CLI v1.17.1

Thu, 07 May 2020 09:00:00 GMT

_Bug fixes_ - Remove the explicit default value for `force-recommended` as this causes issues when using the yargs `conflicts` parameter.

Turbot Guardrails CLI v1.17.0

Thu, 07 May 2020 09:00:00 GMT

_What's new?_ - Mod authors often want to set their new version as `RECOMMENDED` in the registry, telling users it's the best choice. Use `turbot publish --force-recommended` and `turbot modify --force-recommended` to mark this version as `RECOMMENDED` and set all currently recommended versions to `AVAILABLE`. _Bug fixes_ - `turbot test` was showing incorrect test data validation errors, due to a graphql schema change that had not been handled by the CLI.

Turbot Guardrails Enterprise Foundation (TEF) v1.16.0

Tue, 05 May 2020 09:00:00 GMT

_What's new?_ * `Allow Self-Signed Certificate` parameter, instructing Turbot to ignore certificate errors when connecting to external services - for example - enterprise environments with an outbound internet proxy. * S3 bucket inventory has been enabled, setting us up for future batch operations on collections of log files. * Updated lifecycle rules to clean deleted versions of debug logs and match changes to the prefix of log files.

Turbot Guardrails Enterprise Foundation (TEF) v1.15.0

Fri, 01 May 2020 09:00:00 GMT

_What's new?_ * Added a "connectivity test" lambda function, making it easier to verify that an environment has the necessary network setup. Run `${ResourceNamePrefix}_connectivity_checker` manually to test. * Improved descriptions for the Installation Domain and Turbot Certificate ARN parameters.

Turbot Guardrails CLI v1.16.0

Thu, 30 Apr 2020 09:00:00 GMT

_What's new?_ - `turbot inspect` now enforces valid semantic versions in mod version numbers. We admire your creativity, but encourage you to express it elsewhere. _Bug fixes_ - Fixed `turbot up --zip`, which broke during a dependency update.

Turbot Guardrails Enterprise Foundation (TEF) v1.14.0

Fri, 24 Apr 2020 09:00:00 GMT

_What's new?_ * Turbot License Key has been added as a (currently optional) parameter.

Turbot Guardrails CLI v1.15.1

Fri, 24 Apr 2020 09:00:00 GMT

_Bug fixes_ - `turbot login` was failing if the `~/.config` folder did not exist. - `turbot template build` was always expecting a `wip-*` instance branch to exist. It's now correctly limited to runs where `--use-instance-root-branch` is passed.

Turbot Guardrails CLI v1.15.0

Wed, 22 Apr 2020 09:00:00 GMT

_What's new?_ - Proxy support via the `HTTPS_PROXY` environment variable. Login, install mods and publish to our registry all via your favorite proxy. (Provided it's a `http://` proxy, we don't support `https://` yet.)

Turbot Guardrails Enterprise Foundation (TEF) v1.13.0

Fri, 17 Apr 2020 09:00:00 GMT

_What's new?_ * Updates Hive Manager, which includes the ability to convert ownership of database schemas. This is part of a longer term effort to move database ownership to specific turbot roles, reducing our use of the master account.

Turbot Guardrails Enterprise Database (TED) v1.7.0

Fri, 17 Apr 2020 09:00:00 GMT

_What's new?_ - Parameters to set `rds.force_admin_logging_level` and `track_functions`, - Add CloudWatch alarms for DB connections, CPU utilization and free storage alerts. - Added t2.medium and t2.large instance class options, useful in test or dev environments.

Turbot Guardrails CLI v1.14.0

Fri, 17 Apr 2020 09:00:00 GMT

_What's new?_ - Manage published mods in the registry from the CLI, including their status and description. For example `turbot registry modify --mod "@turbot/aws" --mod-version "5.0.0" --status RECOMMENDED --description "updated description"`. - Usually a newly published version should be the recommended one. So now you can do that automatically during `turbot publish` using the `--status RECOMMENDED` flag. - `turbot template build` now supports instance root branch names with a random suffix, following the naming convention: `wip//*`. We've found scheme much more effective at scale. - We now automatically include `RELEASE_NOTES.md` as well as `CHANGELOG.md` when building a mod. Release notes are intended for users while a changelog is intended for developers or others obsessed over details. - `turbot test` validates input query, but only works for a single query (not for the more advanced array of queries syntax). Previously the test would always fail for an array of queries, so we're now skipping the test in these cases until it can be fully supported. _Bug fixes_ - `turbot publish --dir ` did not work if run outside the mod folder - the function zips were not correctly created.

Turbot Guardrails CLI v1.13.0

Mon, 06 Apr 2020 09:00:00 GMT

What's new?_ - Registry login using `turbot login` (and similar) now requires both `--username` and `--password` or neither. They just can't live without each other. _Bug fixes_ - `turbot template build --patch` command was failing without running the git command.

Turbot Guardrails Enterprise Foundation (TEF) v1.12.1

Thu, 02 Apr 2020 09:00:00 GMT

_Bug fixes_ * EC2 instances used for ECS should have AssociatePublicIpAddress set to false. This is a defence improvement since our EC2 instances are run in a private VPC so were not publically accessible anyway.

Turbot Guardrails Enterprise Foundation (TEF) v1.12.0

Wed, 01 Apr 2020 09:00:00 GMT

_What's new?_ * Cleanup IAM roles to use `_` consistently in names (instead of mixing `_` and `-` together).

Turbot Guardrails Enterprise Foundation (TEF) v1.11.0

Tue, 31 Mar 2020 09:00:00 GMT

_What's new?_ * Some organizations need to use a self-signed certificate for their ALB. This would fail a certificate check when also using our API Gateway proxy. Use the `Self Signed Certificate In ALB` parameter to ignore these certificate errors. _Bug fixes_ * The IAM role used for ECS EC2 instances is now named consistently with our other IAM roles.

Turbot Guardrails Enterprise Foundation (TEF) v1.10.0

Fri, 27 Mar 2020 09:00:00 GMT

_Warning_ * Existing TEF installations must install v1.9.0 before upgrading to v1.10.0. This sequence will automatically preserve and transition parameter settings for S3 bucket names as we move from fixed names to randomized names by default for new installations. _What's new?_ * Log and process buckets now use a partly random name by default, making new installations smoother and easier to troubleshoot.

Turbot Guardrails Enterprise Foundation (TEF) v1.9.0

Thu, 26 Mar 2020 09:00:00 GMT

_What's new?_ * Optionally use a random name for log and process log buckets, making repeated install and uninstall easier. * Log buckets will now be retained on deletion of the TEF stack.

Turbot Guardrails Enterprise Database (TED) v1.6.1

Tue, 24 Mar 2020 09:00:00 GMT

_Bug fixes_ - The SNS topic name for CPU alarms was not consistent with our other resources. Now it is.

Turbot Guardrails Enterprise Foundation (TEF) v1.8.0

Mon, 23 Mar 2020 09:00:00 GMT

_What's new?_ * Setup an S3 bucket to store process logs, including lifecycle rules to cleanup debug logs.

Turbot Guardrails Enterprise Database (TED) v1.6.0

Mon, 23 Mar 2020 09:00:00 GMT

_What's new?_ - Alarm levels defined in the dashboard for CPU utilization and free storage, making problem levels clearer. - Dashboard charts are now zero based, as any statistician will tell you they should be. - SNS topic publishing CPU alarms, making it easy to subscribe for alerts.

Turbot Guardrails CLI v1.12.0

Thu, 19 Mar 2020 09:00:00 GMT

_What's new?_ - In `turbot compose` the `+schema` directive can now map from openApi format schema to valid JSON schema. _Bug fixes_ - `turbot template build` fleet operations were failing due to an error displaying the summary. This has been fixed.

Turbot Guardrails Enterprise Foundation (TEF) v1.7.0

Tue, 17 Mar 2020 09:00:00 GMT

_What's new?_ * Turbot Hive Manager lambda now has permission to create encrypted SSM parameters, required by TED v1.5.0.

Turbot Guardrails Enterprise Database (TED) v1.5.0

Tue, 17 Mar 2020 09:00:00 GMT

_Warning_ - Requires TEF v1.7.0 or later. _What's new?_ - Parameter to set the maintenance window. - Parameter to set a Customer Managed Key for encryption. - Parameter to set the turbot master password. If blank, the master password is automatically reset. _Bug fixes_ - Auto scaling of storage for the read replicas outside the primary region.

Turbot Guardrails CLI v1.11.0

Thu, 12 Mar 2020 09:00:00 GMT

_What's new?_ - Use `turbot test` to check GraphQL mutations (e.g. `updatePolicySetting`) are called as expected from controls. - `turbot compose` no longer errors when a glob matches no source files.

Turbot Guardrails Enterprise Foundation (TEF) v1.6.0

Mon, 09 Mar 2020 09:00:00 GMT

_Warning_ * Security access from the load balancer to ECS has changed from requiring port 8443 to requiring the full high port range of 32768-65535. This allows us to run ECS in bridge mode and efficiently reuse IP addresses across Turbot core containers. * The outbound security group now allows port 80 outbound by default. This makes cloud-init in the ECS optimized image run much faster than only providing port 443 outbound. * If you are upgrading from a previous TEF version, you will need to make the modifications listed below: * Add ports 32768-65535 to the `Load Balancer Security Group` OUTBOUND to the `API Security Group` * Add ports 32768-65535 to the `API Security Group` INBOUND from the `Load Balancer Security Group` * Add port 80 to the `Outbound Internet Security Group` OUTBOUND to `0.0.0.0/0` _What's new?_ * Use ECS on EC2 (instead of Fargate) to accelerate container startup time (particularly for stacks), increase cost efficiency at scale, and prepare for wider container use at the core level.

Turbot Guardrails Enterprise Foundation (TEF) v1.5.0

Thu, 05 Mar 2020 09:00:00 GMT

_What's new?_ * Workspace manager creation of turbot.com directories updated to use a server name (instead of a phase).

Turbot Guardrails CLI v1.10.0

Wed, 04 Mar 2020 09:00:00 GMT

Turbot Guardrails CLI v1.9.0

Wed, 26 Feb 2020 09:00:00 GMT

_What's new?_ - A new directive, `+schema` has been added for `turbot compose`. This allows you to include a specific item from a schema file, including all definitions which are referenced. - `turbot template build` will now run even if there are changes on the local branch, if neither the `--use-fleet-branch` or `--use-instance-root-branch` arguments are set. This is useful when running building templates for the first time with local config updated but not committed.

Turbot Guardrails CLI v1.8.0

Mon, 24 Feb 2020 09:00:00 GMT

_What's new?_ - `turbot inspect --format changelog` now includes the uri of each control, policy, resource and action item. _Bug fixes_ - `turbot up` was broken in 1.7.0. This has been fixed. - `turbot pack` and `turbot publish` had to be run out of the target mod directory. They can now be run out of any directory by passing the `--dir` flag.

Turbot Guardrails CLI v1.7.0

Sun, 23 Feb 2020 09:00:00 GMT

_What's new?_ - `turbot aws credentials` now supports `--aws-profile `, `--profile ` and `--access-key --secret-key ` combinations. _Bug fixes_ - `turbot test` was doing type coercion of input data before validation. It now expects correct types to be passed, matching the behavior of the Turbot server.

Turbot Guardrails Enterprise Database (TED) v1.4.1

Fri, 21 Feb 2020 09:00:00 GMT

_Bug fixes_ - Auto scaling of storage for the primary read replica.

Turbot Guardrails CLI v1.6.0

Wed, 12 Feb 2020 09:00:00 GMT

_What's new?_ - Use `--no-color` to simplify the output of any command. Sometimes less is more. - `turbot template build --git --branch ` allows you to specify the branch the build operations will be committed onto. - `turbot template build` no longer supports the `--config` flag. Use `template.yml` files instead. _Bug fixes_ - `turbot install` was not downloading files. Now it does. - `turbot template build` was creating `template.yml` files for every template instance. This is noisy and defeats the value of template inheritence, so has been stopped.

Turbot Guardrails CLI v1.5.1

Mon, 10 Feb 2020 09:00:00 GMT

_Bug fixes_ - `turbot template build --git` should checkout the original git branch at the end of the build. Broken in v1.5.0

Turbot Guardrails CLI v1.5.0

Mon, 10 Feb 2020 09:00:00 GMT

_What's new?_ - `turbot template build --git` now skips instances without a template-lock file, which cannot be resolved anyway. _Bug fixes_ - `turbot up` and `turbot publish` were stalling for large mods.

Turbot Guardrails CLI v1.4.1

Fri, 07 Feb 2020 09:00:00 GMT

_Bug fixes_ - `turbot template build --git` should checkout the original git branch at the end of the build. Broken in v1.4.0.

Turbot Guardrails CLI v1.4.0

Thu, 06 Feb 2020 09:00:00 GMT

_What’s new?_ - Clearer reporting of errors when running `turbot template build`. - `turbot template build --fleet-mode` now defaults to `update`, which is almost always the right choice. - When running `turbot template build --git` it is no longer necessary to specify a base git branch, it sensibly assumes you want to use the current branch. - Use `turbot pack --zip-file awesome.zip` to output mods with any name you prefer.

Turbot Guardrails CLI v1.3.1

Wed, 05 Feb 2020 09:00:00 GMT

_Bug fixes_ - `turbot template outdated` fixed to work with specific template definition directories. - Only save successful template operations to the branch when using `turbot template build --git`. Previously we were polluting that goodness with failures as well. - Limit `template-lock.yml` to data that is absolutely necessary, removing noise from change logs. - Disabled `turbot template update`. Please use `turbot template build` instead, as you probably already were.

Turbot Guardrails CLI v1.3.0

Tue, 04 Feb 2020 09:00:00 GMT

_What's new?_ - `turbot inspect --output-format` will now accept either a file path to the template or the template string directly. - Clearer output of the actions taken when running `turbot template build`. - Automatic code merging when doing updates with `turbot template build` will now merge successful changes onto a single branch and write failed patches to the filesystem for easier review.

Turbot Guardrails Enterprise Database (TED) v1.4.0

Mon, 03 Feb 2020 09:00:00 GMT

_What's new?_ - Support customization of parameters for `max_connections`, `deadlock_timeout`, `idle_in_transaction_session_timeout` and `statement_timeout`.

Turbot Guardrails Enterprise Foundation (TEF) v1.4.0

Wed, 22 Jan 2020 09:00:00 GMT

_What's new?_ * Added a lifecycle rule to automatically delete temporary data from S3.

Turbot Guardrails Enterprise Foundation (TEF) v1.3.0

Mon, 20 Jan 2020 09:00:00 GMT

_What's new?_ * Reduced scope of permissions granted to custom mod Lambda functions. These add extra levels of protection and take effect as mods are installed or updated in Turbot v5.5.0 or later.

Turbot Guardrails CLI v1.2.1

Mon, 20 Jan 2020 09:00:00 GMT

_Bug fixes_ - `turbot template build` has a special case "provider" field in the render context. Long term it will be removed. Short term, it should not break for vendor level mods like @turbot/aws or @turbot/linux.

Turbot Guardrails Enterprise Database (TED) v1.3.0

Thu, 16 Jan 2020 09:00:00 GMT

_What's new?_ - `Instance Type for Replica DB` will now default to `Same as Primary DB`, which is a lot easier than having to set and maintain it manually when most of the time they are the same anyway. - Choose a custom master username during install.

Turbot Guardrails CLI v1.2.0

Thu, 16 Jan 2020 09:00:00 GMT

_What's new?_ - View and confirm `turbot template build` actions before they happen. (Add `--yes` to keep the previous behavior.) - Easily review success and failure after running `turbot template build` across many instances. _Bug fixes_ - `turbot download` will now give up gracefully on failed downloads, relieving it of an eternity of failed retries.

Turbot Guardrails Enterprise Database (TED) v1.16.0

Tue, 14 Jan 2020 09:00:00 GMT

_What's new?_ - Option to configure AWS Backup with daily, weekly and/or monthly snapshots of the primary database. - Add Postgres v11.9 to supported versions list. - CloudWatch Alarms added for freeable memory, read replica CPU and queue depth. - RDS disk burst balance metrics added to TED dashboard. - Elasticache metrics added to TED dashboard. - Improve text and limit for Transaction ID Wraparound in TED dashboard. _Requirements_ - TEF v1.30.0

Turbot Guardrails Enterprise Foundation (TEF) v1.2.0

Tue, 14 Jan 2020 09:00:00 GMT

_What's new?_ * Publish the alpha region as an SSM parameter so it can be used as a default in other areas - like TED's default location for the primary DB.

Turbot Guardrails Enterprise Database (TED) v1.2.0

Tue, 14 Jan 2020 09:00:00 GMT

_Warning_ - Requires TEF v1.2.0 or later. - The parameter `Instance Type for Replica DB` is new and must be set during upgrade. (Note: Fixed in v1.3.0 to use `Same as Primary DB` by default.) _What's new?_ - The Turbot Audit Trail is stored in a CloudWatch Log group managed in TED. It will now be retained if the TED stack is deleted, avoiding loss of audit trail data in that rare scenario. - Easily configure auto-scaling of the database storage up to a maximum value. - Read replicas can now have a different instance class to the primary. Typically they have a lower load level, so we've added flexibility to optimize costs. - Default to using the alpha region (as defined in TEF) for primary DB install.

Turbot Guardrails CLI v1.1.1

Mon, 13 Jan 2020 09:00:00 GMT

_Bug fixes_ - Fix `turbot template build` crash added by v1.1.0.

Turbot Guardrails CLI v1.1.0

Mon, 13 Jan 2020 09:00:00 GMT

_What’s new?_ - Use `turbot aws credentials --account 123456789012 --profile my-account` to generate and save temporary AWS credentials into your local AWS profile. Easily work across many AWS accounts using your single Turbot profile. - Filter `turbot template build` to target all instances of a specific template, which is great when you are in the process of converting code to use the template (some code in template management, some still custom). _Bug fixes_ - `turbot test` was broken in v1.0.4 due to a missing dependency. Life is better with friends.

Turbot Guardrails Enterprise Foundation (TEF) v1.1.1

Wed, 08 Jan 2020 09:00:00 GMT

_Bug fixes_ * The Hive Manager and Workspace Manager lambda functions used during the workspace upgrade process were not properly connecting to the database using SSL during initial workspace creation (they were during upgrades). Our change to force SSL on the database in TED revealed this issue, which is now fixed.

Turbot Guardrails Enterprise Database (TED) v1.1.1

Wed, 08 Jan 2020 09:00:00 GMT

_Bug fixes_ - Expanded the list of database instance classes available during install to include older generations (e.g. m3) which are required for AWS us-gov-west-1. - Added the AWS RDS 2017 certificate as an option, since it's uniquely used and required in Gov Cloud installs.

Turbot Guardrails Enterprise Foundation (TEF) v1.1.0

Tue, 07 Jan 2020 09:00:00 GMT

_What's new?_ * TEF version is now published as an output parameter in CloudFormation. (We'd rather that Service Catalog showed this automatically, but there is an AWS quirk that breaks that feature when Service Catalog versions are published using CloudFormation.) * Workspace upgrades may now take up to 15 minutes before timing out. This allows us to run larger data migration jobs during the upgrade process. (Don't worry, we design these to be background tasks that don't affect availability during the upgrade.) * Custom security groups are published as SSM parameters allowing them to be leveraged by the Turbot Guardrails Enterprise CloudFormation stacks to override per-version default security groups. _Bug fixes_ * GovCloud installations require conditions in IAM to match the correct partition `arn:aws-us-gov:`.

Turbot Guardrails Enterprise Database (TED) v1.1.0

Tue, 07 Jan 2020 09:00:00 GMT

_Warning_ - The AWS RDS certificate change requires a database reboot. This may cause a brief impact on availability. Please schedule this change for a suitable window. _What's new?_ - SSL is now required by default for all connections to the database. We used SSL anyway, but now we enforce it at the DB level as an extra precaution. - Upgrade database instances to the AWS RDS 2019 root certificate (their 2015 certificate is expiring soon).

Turbot Guardrails CLI v1.0.4

Tue, 07 Jan 2020 09:00:00 GMT

_Bug fixes_ - `turbot template` should allow rendering of the filename as well as folder names, e.g. `src/{{instance}}/resource/types/{{instance}}.yml`.

Turbot Guardrails CLI v1.0.3

Thu, 19 Dec 2019 09:00:00 GMT

_Bug fixes_ - `test.options` are useful, but not required, so `turbot test` should not crash if they are not set for a test.

Turbot Guardrails CLI v1.0.2

Thu, 19 Dec 2019 09:00:00 GMT

_Bug fixes_ - Registry name validation should work for valid registries like turbot.com. - `turbot test` has a `test.awsProfile` field to set the AWS profile to use when running tests locally. This has been moved into the generic, customizable `test.options.awsProile` location since it's relevant to AWS mods specifically rather than a core feature of Turbot.

Turbot Guardrails Enterprise Foundation (TEF) v1.0.0

Wed, 18 Dec 2019 09:00:00 GMT

_What's new?_ * Initial version. * CloudFormation design for deployment via Service Catalog. * Foundation components: KMS keys, IAM roles, Log groups & buckets. * Network configuration with up to 3 tiers (public, turbot, database) across 3 availability zones in 3 regions. * Automated VPC peering setup across regions. * Subnet Groups and Security Groups for database and cache services. * Optional gateway proxy for external event handling with an internal installation. * Optional BYO network parameters for complex or pre-existing environments.

Turbot Guardrails CLI v1.0.1

Wed, 18 Dec 2019 09:00:00 GMT

_Bug fixes_ - The default registry is now turbot.com. Other development registries have been cleaned up to reduce noise. - Cleaned up available commands and their descriptions.

Turbot Guardrails CLI v1.0.0

Wed, 18 Dec 2019 09:00:00 GMT

_What's new?_ - Easily manage Turbot credentials and profiles. - Run graphql commands in scripts. - Install and inspect mods. - Build, compose & test Turbot mods. - Upload mods to Turbot for internal testing or use. - Publish mods to the Turbot registry for public sharing. - Use templates to accelerate the development of mods.

Turbot Guardrails Enterprise Database (TED) v1.0.0

Wed, 11 Dec 2019 09:00:00 GMT

_What's new?_ - Initial version. - CloudFormation design for deployment via Service Catalog. - CloudFormation stack per hive (physical shard). - Postgres design with primary, failover and regional read replicas. - Encryption at rest for all data. - Custom Resource for automatic database hive configuration.