Product logo
DocsBlogPricing

@turbot/aws

The aws mod contains resource, control and policy definitions for AWS AWS service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for AWS:

PermissionGrant LevelHelp
account:DisableRegionOwnerOwners can disable an AWS region.
account:EnableRegionOwnerOwners can enable an AWS region.
account:GetAccountInformationMetadata
account:GetAlternateContactMetadata
account:GetChallengeQuestionsMetadata
account:GetContactInformationMetadata
account:GetRegionOptStatusMetadata
account:ListRegionsMetadata
iam:CreateAccountAliasOwnerOwners can manage the AWS account alias.
iam:DeleteAccountAliasOwnerOwners can manage the AWS account alias.
iam:ListAccountAliasesMetadata

Learn More About Guardrails

Version
5.28.0
Released On
Sep 22, 2023
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.28.0 (2023-09-22)

What's new?

  • Added support for Global Event Handlers. This release contains new Guardrails policies and controls to support deployment of Global Event Handlers for AWS.

Control Types

Added

  • AWS > Turbot > Event Handlers [Global]

Policy Types

Added

  • AWS > Turbot > Event Handlers [Global]
  • AWS > Turbot > Event Handlers [Global] > Events
  • AWS > Turbot > Event Handlers [Global] > Events > Rules
  • AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix
  • AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags
  • AWS > Turbot > Event Handlers [Global] > Events > Target
  • AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN
  • AWS > Turbot > Event Handlers [Global] > Primary Region
  • AWS > Turbot > Event Handlers [Global] > SNS
  • AWS > Turbot > Event Handlers [Global] > SNS > Topic
  • AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key
  • AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix
  • AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags
  • AWS > Turbot > Event Handlers [Global] > Source
  • AWS > Turbot > Event Handlers [Global] > Terraform Version
  • AWS > Turbot > Service Roles > Event Handlers [Global]
  • AWS > Turbot > Service Roles > Event Handlers [Global] > Name

5.27.2 (2023-09-06)

Bug fixes

  • A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.27.1 (2023-09-06)

Bug fixes

  • The AWS > Turbot > Event Handlers now support real-time events for AWS S3 Multi-Region Access Point.

5.27.0 (2023-08-11)

What's new?

  • Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

Bug fixes

  • We've removed support for the now retired aws-portal:* permissions. Things will continue to work smoothly as before.
  • The AWS > Account > CMDB control would fail to trigger automatically if any of the AWS > Account > Turbot IAM Access Key ID, AWS > Account > Turbot IAM Credential Type, AWS > Account > Turbot IAM Role & AWS > Account > Turbot IAM Secret Access Key policy values were updated. This is now fixed.

5.26.0 (2023-07-31)

What's new?

  • The VPC flow logging role created via the AWS > Turbot > Service Roles stack will now also have an inline policy attached to allow the role to write to AWS CloudWatch Logs and deliver logs to AWS S3.
  • The real-time event handlers will now also handle EC2 Instance State-change Notification type events, to allow Turbot to process such events and manage EC2 instances and ECS container instances in Turbot much more efficiently and consistently.

5.25.0 (2023-06-30)

What's new?

  • We've added the new fine-grained account:* permissions which are replacing the existing aws-portal:ViewAccount permission soon. Things will continue to work smoothly as before.

5.24.0 (2023-06-02)

What's new?

  • User can now enable the account filter on EventBridge Rules created via the AWS > Turbot > Event Handlers stack. This will allow the Event Handlers to listen to events only from the account where the Event Handlers are deployed, and avoid processing events from other accounts. To get started, set the AWS > Turbot > Event Handlers > Events > Rules > Account Filter policy to Enabled.

Policy Types

Added

  • AWS > Turbot > Event Handlers > Events > Rules > Account Filter

5.23.5 (2023-05-10)

Bug fixes

  • The AWS > Turbot > Event Handlers now supports real-time events for AWS RDS Global Cluster.

5.23.4 (2023-01-13)

Bug fixes

  • We've tightened the access policy for the SNS Topic created by the AWS > Turbot > Event Handlers stack to enforce encryption of data in transit over HTTPS. You won't notice any difference and the Event Handlers will continue to work smoothly as before.

5.23.3 (2023-01-05)

Bug fixes

  • The actor information in the activity log for resources would incorrectly show up as Unidentified Identity if the caller was Root Account. This is fixed and the activity log would now show Root Account for such events.

5.23.2 (2022-12-16)

Bug fixes

  • The AWS > Turbot > Event Handlers now supports real-time events for Direct Connect gateways and ECR public repositories.

5.23.1 (2022-12-02)

Bug fixes

  • The AWS > Turbot > Event Handlers > Terraform Version policy now defaults to 0.15.* for ap-northeast-3 region to configure all Event Handler resources correctly in the region.

5.23.0 (2022-08-11)

Policy Types

Added

  • AWS > Turbot > Logging > Bucket > Encryption in Transit

5.22.5 (2022-07-28)

Bug fixes

  • In v5.18.0, we updated the AWS > Turbot > Event Handlers > Terraform Version policy to 0.15.*. Due to this update, the AWS > Turbot > Event Handlers control would sometimes fail to update resources correctly if the AWS > Turbot > Event Handlers > Source policy was updated. We've reverted this change temporarily, and the AWS > Turbot > Event Handlers > Terraform Version policy value is now set to 0.11.* to allow the Event Handlers control to work as expected.

5.22.4 (2022-04-21)

Bug fixes

  • We've tightened the access policy for the SNS Topic created by the AWS > Turbot > Event Handlers stack to only allow EventBridge rules in the current account to publish to the topic. You won't notice any difference and the Event Handlers will continue to work smoothly as before.

5.22.3 (2022-02-17)

Bug fixes

  • The AWS > Account > Budget > Budget control would go into an error state for AWS China cloud accounts. This is fixed and the control will now work as expected.

  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

5.22.2 (2022-02-09)

Bug fixes

  • In v5.20.1, we fixed an issue for AWS > Turbot > Service Roles > Source policy and its dependency on the aws-os mod. Turns out that the fix caused the AWS > Turbot > Service Roles control to not create the default EC2 instance role, its instance profile and its SSM permissions correctly in AWS if their respective policies were set to Enabled. This is fixed and the control will now create such service roles correctly as per their respective policies.

5.22.1 (2022-02-02)

Bug fixes

  • The real-time event handlers will now also process logging configuration events for global and regional WAF web ACLs.

5.22.0 (2022-01-13)

What's new?

  • Tags can now be defined for EventBridge rules created by the AWS > Turbot > Event Handlers control. To get started, set the AWS > Turbot > Event Handlers > Events > Rules > Tags policy.

Policy Types

Added

  • AWS > Turbot > Event Handlers > Events > Rules > Tags

5.21.0 (2022-01-06)

What's new?

  • The real-time event handlers will now also handle EBS Volume Notification type events, to allow Turbot to process such events and manage EC2 volumes in Turbot much more efficiently and consistently.

5.20.3 (2021-12-10)

Bug fixes

  • The AWS > Turbot > Audit Trail stack now works if the S3 bucket given in AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket policy is in another AWS account. Please note that when sending CloudTrail logs to a bucket in another account, the bucket’s policy will need to be updated to receive log files properly. For bucket policy examples, please see Setting bucket policy for multiple accounts.

5.20.2 (2021-11-26)

Bug fixes

  • In v5.20.1, we made some changes to preserve custom AKAs on accounts in Turbot. These changes sometimes prevented the movement of accounts under different folders in Turbot. This is fixed and users will now be able to move accounts smoothly again.

5.20.1 (2021-10-28)

Bug fixes

  • Custom AKAs added to accounts were not preserved in Turbot CMDB because the AWS > Account > CMDB control would overwrite them. This is fixed and all such custom AKAs will now be stored correctly in Turbot CMDB.

  • The AWS > Turbot > Service Roles > Source policy would incorrectly move to an invalid state if the AWS > Turbot > OS Management > SSM Command > S3 Bucket policy was set and the aws-os mod was unavailable. This is fixed and the policy should now work as expected.

  • We've removed the AWS > Organization, AWS > Organizational Unit and AWS > Root resource types and their corresponding controls and policies since they were unused and had no integrations with any other resource types. They will now be available under a separate aws-organizations mod. To discover such resources, install the aws-organizations mod in your environment and import a management account.

Resource Types

Removed

  • AWS > Organization
  • AWS > Organizational Unit
  • AWS > Root

Control Types

Removed

  • AWS > Organization > CMDB
  • AWS > Organizational Unit > CMDB
  • AWS > Organizational Unit > Discovery

Policy Types

Removed

  • AWS > Organization > CMDB
  • AWS > Organization > Turbot IAM Role [Organization]
  • AWS > Organization > Turbot IAM Role [Organization] > External ID [Organization]
  • AWS > Organizational Unit > CMDB

5.20.0 (2021-09-29)

What's new?

  • Users can now specify a connection region that will be used to discover regions under an account. To get started, set the AWS > Region > Discovery > Connection Region policy.

Policy Types

Added

  • AWS > Region > Discovery
  • AWS > Region > Discovery > Connection Region

5.19.1 (2021-09-15)

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls to be more reliable than before. You won’t notice any difference and things should continue to run smoothly as expected.

5.19.0 (2021-08-20)

What's new?

  • AWS account titles can now be customized in Turbot. To get started, set the turbot_title tag on the account via Turbot's Terraform provider.

5.18.0 (2021-07-28)

What's new?

  • For workspaces on TE v5.37.7 or higher, the Terraform Version policy for various Turbot managed stack controls will now be set to 0.15.* by default. For workspaces on TE versions lower than 5.37.7, those policies will remain set to 0.11.* by default.

Bug fixes

  • The AWS > Turbot > Event Handlers control went into an error state if configured for ap-northeast-3 (Osaka) region. This is now fixed.

5.17.0 (2021-07-22)

Policy Types

Added

  • AWS > Account > Turbot IAM Role > Assume Role Timeout

5.16.1 (2021-06-15)

Bug fixes

  • We've improved the way we handle duplicate events fetched via the AWS > Turbot > Event Poller control. You won't notice any difference, but the control should run lighter than before.

    Please note that this improvement will only be enabled for workspaces on TE v5.37.5 or higher.

5.16.0 (2021-06-11)

What's new?

  • Users can now define a list of events to filter out while polling for events using the AWS > Turbot > Event Poller. To get started, set the AWS > Turbot > Event Poller > Excluded Events policy.

Policy Types

Added

  • AWS > Turbot > Event Poller > Excluded Events

5.15.3 (2021-06-02)

Control Types

Removed

  • AWS > Account > Resource AKA Cleanup

Policy Types

Removed

  • AWS > Account > Resource AKA Cleanup

5.15.2 (2021-05-25)

Bug fixes

  • We've updated the description for AWS > Turbot > Audit Trail > CloudTrail > Trail > Name Prefix policy to indicate that the policy will be ignored when the AWS > Turbot > Audit Trail > CloudTrail > Trail > Name policy has a policy setting defined explicitly.
  • The AWS > Account > CMDB control would go into an error state if Turbot had insufficient permissions to fetch the account's organization details. This is fixed and the control will now work as expected.

5.15.1 (2021-04-08)

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.

5.15.0 (2021-03-19)

What's new?

  • When generating credentials for the AWS account, you can now check if the external ID for the IAM role used to import the account is in the protected format. This will prevent users from importing an account in multiple Turbot workspaces. To get started, first set the AWS > Account > Turbot IAM Role > External ID policy in a protected format, e.g. turbot:123456789012345:foo, where 123456789012345 is the Turbot root resource ID and foo is a valid external ID in AWS. Afterward, set the AWS > Account > Turbot IAM Role > External ID > Protection policy to Protected.

Please note that this feature will only be enabled for workspaces on TE v5.36.0 or higher.

Policy Types

Added

  • AWS > Account > Turbot IAM Role > External ID > Protection

5.14.0 (2021-02-05)

What's new?

  • Tags can now be defined for SNS topics created by the AWS > Turbot > Event Handlers > SNS > Topic stack through the AWS > Turbot > Event Handlers > SNS > Topic > Tags policy.

Policy Types

Added

  • AWS > Turbot > Event Handlers > SNS > Topic > Tags

5.13.4 (2020-12-17)

Bug fixes

  • The AWS > Turbot > Event Poller control will now filter out the support:RefreshTrustedAdvisorCheck event when processing CloudTrail events. There will be no noticeable difference but event processing will now run much lighter.

5.13.3 (2020-12-08)

Bug fixes

  • The real-time event handlers now handle EC2 and VPC resource tagging events much more efficiently, which drastically decreases the amount of events Turbot creates internally for each incoming tagging event.

    Please note that this feature will only be enabled for workspaces on TE v5.34.1 or higher. For workspaces on earlier versions, the real-time event handlers will continue to handle EC2 and VPC tagging events as they have before.

  • We've made some improvements to our real-time event handlers, which should result in slightly faster processing of incoming events.

  • The AWS > Trusted Accounts [Default] policy no longer allows the values all and public to better support use of this default policy in all Trusted Accounts policies for AWS services and resources.

5.13.2 (2020-10-30)

Bug fixes

  • The AWS > Turbot > Service Roles > Source policy would pull S3 buckets from all AWS accounts in the workspace instead of the targeted AWS account. This is now fixed.
  • We've updated the schema definition used in the AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts and AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts policies to allow adding AWS account IDs as strings as well (previously they could only be added as integers).

5.13.1 (2020-10-14)

Bug fixes

  • Sometimes the AWS > Turbot > Event Poller control would run less frequently than the interval set in the AWS > Turbot > Event Poller > Interval policy. We've updated this control to now ensure that it will run at least every 10 minutes (which is the maximum interval allowed in the policy) to prevent it from missing events.

5.13.0 (2020-10-12)

What's new?

  • The account's CMDB data now also includes the information about the organization that the user's account belongs to. This is available under the Organization property.

  • The AWS > Account > Resource AKA Cleanup control will now also remove AWS > API Gateway > Domain Name V2 resources that have malformed AKAs with missing identifier information.

Bug fixes

  • We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.12.0 (2020-09-16)

What's new?

  • We've updated the AWS > Turbot > Audit Trail > CloudTrail > Trail > Name policy so it's no longer read-only. Now this policy can be set to a specific trail name, which Turbot will either create or claim and manage if it already exists. Please note that if this policy is set, then the AWS > Turbot > Audit Trail > CloudTrail > Trail > Name Prefix policy will not be used.

Bug fixes

  • The AWS > Account > Resource AKA Cleanup control will now also remove AWS > ElastiCache > Cache Parameter Group, AWS > Redshift > Cluster, AWS > Redshift > Cluster Subnet Group, and AWS > VPC > Flow Log resources that have malformed AKAs with missing identifier information.

5.11.0 (2020-09-15)

Policy Types

Added

  • AWS > Account > Trusted Identity Providers [Default]
  • AWS > Account > Trusted Organizations [Default]
  • AWS > Account > Trusted Services [Default]

5.10.4 (2020-09-14)

Bug fixes

  • Accounts can now be imported at the Turbot level (previously they could only be imported in a Turbot folder).

5.10.3 (2020-09-10)

Bug fixes

  • The AWS > Account > Resource AKA Cleanup control was not properly detecting AWS > EC2 > Launch Configuration resources with invalid AKAs. This has been fixed.

5.10.2 (2020-08-28)

Bug fixes

  • In 5.9.0, we removed the AWS > Account > Resource AKA Migration control, which included functionality to delete various types of AWS resources with invalid AKAs. We have added this functionality back in the AWS > Account > Resource AKA Cleanup control, which now deletes resources with invalid AKAs of the following resource types:
    - AWS > Config > Delivery Channel
    - AWS > EC2 > Classic Load Balancer
    - AWS > EC2 > Instance
    - AWS > EC2 > Launch Configuration
    - AWS > IAM > Role
    - AWS > WAF > Rate Based Rule

5.10.1 (2020-08-20)

Bug fixes

  • The AWS > Account > Resource AKA Cleanup control will now also remove AWS > RDS > DB Parameter Group and AWS > RDS > DB Parameter Group resources having malformed AKAs that are missing the identifier information.

5.10.0 (2020-08-17)

Policy Types

Added

  • AWS > Turbot > Service Roles > Terraform Version

5.9.0 (2020-08-12)

What's new?

  • The AWS > Account > Resource AKA Migration control has been removed and replaced by the AWS > Account > Resource AKA Cleanup control. Before updating the aws mod to this version, please ensure that the previous AWS > Account > Resource AKA Migration control has migrated/deleted all resources it has identified with bad AKAs.

    This new control will remove any AWS > RDS resources with malformed AKAs that are missing identifying information. The AWS > Account > Resource AKA Cleanup policy is set to Enforce: Migrated by default and it is recommended to leave this policy as Enforce: Migrated to ensure all invalid resources are deleted.

Control Types

Added

  • AWS > Account > Resource AKA Cleanup

Removed

  • AWS > Account > Resource AKA Migration

Policy Types

Added

  • AWS > Account > Resource AKA Cleanup

Removed

  • AWS > Turbot > Resource AKA Migration

5.8.1 (2020-08-11)

Bug fixes

  • We’ve made improvements to our GraphQL input queries for various controls and actions. You won’t notice any differences, but things should run smoother and quicker than before.

5.8.0 (2020-07-28)

What's new?

  • Server access logging can now be configured on the S3 logging buckets created through the AWS > Turbot > Logging > Bucket stack. To enable server access logging, please set the AWS > Turbot > Logging > Bucket > Access Logging policy to Enabled and then configure the AWS > Turbot > Logging > Bucket > Access Logging > Bucket and AWS > Turbot > Logging > Bucket > Access Logging > Bucket > Key Prefix policies.

Policy Types

Added

  • AWS > Turbot > Audit Trail > Terraform Version
  • AWS > Turbot > Event Handlers > Terraform Version
  • AWS > Turbot > Logging > Bucket > Access Logging
  • AWS > Turbot > Logging > Bucket > Access Logging > Bucket
  • AWS > Turbot > Logging > Bucket > Access Logging > Bucket > Key Prefix
  • AWS > Turbot > Logging > Terraform Version

5.7.2 (2020-07-23)

Bug fixes

  • We've cleaned up our use of some deprecated GraphQL resolvers in the event handlers policies. There's no noticeable difference, but this will help us clean up some of our resolvers.

5.7.1 (2020-07-15)

Bug fixes

  • Updated the default value for the AWS > Account > Trusted Accounts [Default] policy from [] to ["*"]. This policy is not currently used by any control, so there is no impact to any resources.

5.7.0 (2020-07-10)

Policy Types

Added

  • AWS > Account > Trusted Accounts [Default]

5.6.0 (2020-07-08)

What's new?

  • AWS regions are now dynamically discovered and created in CMDB based on what environment the account belongs to. For instance, accounts in GovCloud will only have us-gov-west-1 and us-gov-east-1 regions created. We've also added better support for regions in AWS China and are better at detecting regions that are disabled in the account so we don't create them in CMDB.

Control Types

Removed

  • AWS > Region > CMDB

Policy Types

Added

  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > Billing Console

Renamed

  • AWS > Account > Regions [Default] to AWS > Account > Regions

Removed

  • AWS > Region > CMDB

Action Types

Added

  • AWS > Region > Router

5.5.3 (2020-07-07)

Bug fixes

  • The AWS > Account > Resource AKA Migration control would sometimes fail to delete invalid resources in CMDB if there was a large number of them. We've updated how this control runs to better handle a large number of resources.
  • We've made some minor improvements to the AWS > Account > Event Handler action. There are no noticeable differences in how events are handled, but things should run smoother now.

5.5.2 (2020-06-29)

Bug fixes

  • The activity tab on the Turbot console did not capture the actor's identity information whenever AWS console was accessed using Okta federation. This issue has now been fixed.

5.5.1 (2020-06-22)

Bug fixes

  • Fixed default value of the AWS > Account > Resource AKA Migration policy to be Enforce: Migrated instead of Skip.

5.5.0 (2020-06-19)

What's new?

  • In previous versions for various other AWS mods, there was a common bug that resulted in the creation of resources in CMDB without a partition in their ARNs. These bugs have already been fixed in the affected mods, but the resources with invalid ARNs would still exist in CMDB. To automatically cleanup and delete these invalid CMDB entries, we have added the AWS > Account > Resource AKA Migration control. Resources that do not have any policy settings will automatically be deleted, while those that do have policy settings will be logged in the control's log so they can be re-created on the proper resources. The AWS > Account > Resource AKA Migration policy is set to Enforce: Migrated by default and it is recommended to leave this policy as Enforce: Migrated to ensure all invalid resources are migrated.

Control Types

Added

  • AWS > Account > Resource AKA Migration

Policy Types

Added

  • AWS > Turbot > Resource AKA Migration

5.4.1 (2020-06-05)

Bug fixes

  • AWS > Turbot > Event Handlers control incorrectly referenced Azure Poller policies in its logging information. This has now been fixed.

5.4.0 (2020-06-03)

What's new?

  • AWS > Account > Event Handler action type is now set to run even if Turbot is outside of its allowed change window. This allows Turbot to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Turbot's ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.

Policy Types

Added

  • AWS > Account > Stack > Secret Variables
  • AWS > Account > Stack > Variables
  • AWS > Region > Stack > Secret Variables
  • AWS > Region > Stack > Variables

5.3.1 (2020-05-07)

Bug fixes

  • For workspaces on version 5.17.0 or higher, the AWS > Account > Budget > Budget control would re-run indefinitely due to a missing check based on the last updated time. This issue has been fixed and now you can easily manage your budget settings without any hiccups.