Bug fixes
- Server
- Added support for OpenTofu 1.x (open-source Terraform) integration via Guardrail.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
Activity Retention
feature for Smart Retention control to enhance version and data management.UI
Bug fixes
Server
Notify
or Ignore
keywords were missing in the notification rules.UI
+
button for adding permissions now correctly applies the appropriate attributes.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
UI
+
sign to grant permissions in the context of both the identity and resource.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Server
UI
Import
button on the Connect page has been updated to Connect
.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
UI
Smart Folders
are now called Policy Packs
.Policy Packs
from UI.Bug fixes
Server
UI
Policy Packs
from the UI.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
OUTBOUND_SECURITY_GROUP_ID
environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
EncryptionInTransit
TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
UI
Depends-on
tab on the controls page has been renamed to Related
. It now includes the information from the Depends-on tab along with additional related controls information.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
@azure/msal-node
package.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
osquery/logger
API to support payloads up to 10MB.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
api/latest/osquery/enroll
api/latest/osquery/config
api/latest/osquery/logger
serviceNowCredential
resolver specifically for Kubernetes clusters.@turbot/sdk
) to version 5.15.0 and our fn toolkit (@turbot/fn
) to version 5.22.0, to support FIFO queues.UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
worker_factory
in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog"._worker_factory
queue._worker
queue.Bug fixes
Server
UI
template_input
property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Server
/tenant/${workspaceFullId}
to Advanced
.resolvedSchema
if not available in the schema.UI
AWS > Turbot > IAM > Managed
control.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Deny:*
policy for HTTP traffic back to the turbot-policy-parameter custom lambda code.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
Require Signed Assertion Response
.UI:
Require Signed Assertion Response
for enhanced security in SAML authentication.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhanced Security and Compatibility Guide for SAML Authentication
Description:
The recent update to @node-saml/passport-saml
mandates the signing of the assertion response. To ensure backward compatibility, we have introduced a new configuration option in the UI:
By default, this option is set to Disabled
to maintain compatibility with existing setups.
Recommendations: We recommend enabling this option as it adds an additional layer of security. However, please be aware that enabling this setting might impact the SAML login functionality.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
What's new?
Server
UI:
What's new?
Server
passport-saml
to @node-saml/passport-saml
: 4.0.4Require Signed Authentication Response
and Strict Audience Validation
.UI:
Require Signed Authentication Response
and Strict Audience Validation
for enhanced security in SAML authentication.Enhanced Security and Compatibility Guide for SAML Authentication
Description
The recent package change for @node-saml/passport-saml
has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:
To make it backward compatible, both of these options are initially set to Disabled
by default.
Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.
Recommendations
We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.
Here are specific recommendations for popular Identity Providers (IDPs):
Okta
OneLogin
Azure Entra ID (Previously Known as Azure AD)
Signing option
to be "SIGN SAML response and assertion". The Signing option
is available on the Signing Certificate page of Entra IDPlease follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.
What's new?
What's new?
Server:
UI:
Bug fixes
What's new?
Bug fixes
What's new?
What's new?
Bug fixes
Requirements
What's new?
Bug fixes
What's new?
Server:
UI
Note
IAM change in this release:
What's new?
Resources Deleted by Turbot
report.Requires
Container Info
22.04
, jammy-20230425
3.17.3
What's new?
Requires
Container Info
22.04
, jammy-20230425
3.17.3
What's new?
Requires
Container Info
22.04
, jammy-20230425
3.17.3
What's new?
Enterprise
Requires
Container Info
22.04
, jammy-20230425
3.17.3
Enterprise
Requires
Container Info
22.04
, jammy-20230425
3.17.3
What's new?
Enterprise
Requires
Container Info
22.04
, jammy-20230425
3.18.0
What's new?
Requires
What's new?
v5.10.0
of the Turbot IAM mod.Requires
What's new?
SameSite
configuration to strict
.Enterprise
Requires
What's new?
3.75.0
when
Turbot > Stack Terraform Version [Default]
is set to 0.15.*
Bug fixes
Action
fails due to cloud provider throttling, Turbot will
now reschedule the control that triggered the action, those actions should now
be more consistently applied under heavy loads.Note AWS IAM permissions change in this release:
Turbot > Cache > Health Check
control.Bug fixes
Enterprise
Requires
Enterprise
Requires TEF: v1.46.0 TED: v1.9.1
Bug fixes
2.10.7
.Enterprise
Requires TEF: v1.45.0 TED: v1.9.1
What's new?
alternatePersona
in the actor field if
available.Bug fixes
Enterprise
vm2
package to 3.9.11 in the ECS containers.What's new?
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
Activity
sub-tab on the resource page.Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
Enterprise
inline
.Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
unidentified
if
persona and identity are not available.Unidentified
, now they will carry the identity of the launcher,
most of the time this will be the Turbot identity unless the action is
launched by a user from Turbot UI.Enterprise
Enterprise
UI
Enterprise
What's new?
Quick Actions Quick Actions is a new feature that allows Turbot users to initaite specific (one time) control enforcements on their cloud environment via the Turbot UI. Cloud operations teams can use Quick Actions to remediate cloud configuration issues (e.g. enable encryption on a resource) or snooze Turbot alarms for issues that we want to come back to later. More details in the documentation. Quick actions will be rolling out across all supported cloud services in the coming months (based on your feedback); this initial release covers resources in the following AWS mods:
Disabling the Quick Actions feature
Quick Actions use the permissions granted to the Turbot service user or cross-account role used to import your cloud service account into Turbot. Execution of quick actions will fail if the underlying role prevents those actions from occuring.
The Quick Actions feature is disabled by default, but can easily be enabled
via the Turbot > Quick Actions > Enabled
policy. If you would like to
prevent lower level Turbot administrators from enabling Quick Actions for
their cloud service accounts, then make sure you set
Turbot > Quick Actions > Enabled
to Disabled
at the Turbot level using the
Required
option.
The policy Turbot > Quick Actions > Permission Levels
offers fine-grained
control over which Turbot permission levels are required to execute specific
quick actions. These permission limits can be set globally and specific
exceptions can be managed down to the individual cloud service account level.
Enterprise