Policy types for @turbot/aws-apigateway

AWS > API Gateway > API > Active

Determine the action to take when an AWS API Gateway api, based on the AWS > API Gateway > API > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > API Gateway > API > Active > Age

The age after which the AWS API Gateway api is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > API Gateway > API > Active > Budget

The impact of the budget state on the active control. This policy allows you to force apis to inactive based on the current budget state, as reflected in AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > API Gateway > API > Active > Last Modified

The number of days since the AWS API Gateway api was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > API Gateway > API > Approved

Determine the action to take when an AWS API Gateway api is not approved based on AWS > API Gateway > API > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > API Gateway > API > Approved > Budget

The policy allows you to set apis to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS API Gateway api is not matched by the approved list, it will be subject to the action specified in the AWS > API Gateway > API > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > API Gateway > API > Approved > Custom

Determine whether the AWS API Gateway api is allowed to exist. This policy will be evaluated by the Approved control. If an AWS API Gateway api is not approved, it will be subject to the action specified in the AWS > API Gateway > API > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > API Gateway > API > Approved > Regions

A list of AWS regions in which AWS API Gateway apis are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS API Gateway api is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > API Gateway > API > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > API > Approved > Usage

Determine whether the AWS API Gateway api is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS API Gateway api is not approved, it will be subject to the action specified in the AWS > API Gateway > API > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > API Gateway > Enabled"
}

AWS > API Gateway > API > CMDB

Configure whether to record and synchronize details for the AWS API Gateway api into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > API Gateway > API > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-apigateway#/policy/types/apiCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > API Gateway > API > Regions

A list of AWS regions in which AWS API Gateway apis are supported for use.

Any apis in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > API > Tags

Determine the action to take when an AWS API Gateway api tags are not updated based on the AWS > API Gateway > API > Tags > * policies.

The control ensure AWS API Gateway api tags include tags defined in AWS > API Gateway > API > Tags > Template.

Tags not defined in API Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > API Gateway > API > Tags > Template

The template is used to generate the keys and values for AWS API Gateway api.

Tags not defined in API Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > API Gateway > API > Usage

Configure the number of AWS API Gateway apis that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > API Gateway > API > Usage policy.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > API Gateway > API > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 600
}

AWS > API Gateway > API Enabled

Configure whether the AWS API Gateway API is enabled.

Note: Disabling the service disables the API for ALL users and roles, and Turbot will have no access to the API.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApiEnabled
Valid Value
[
"Enabled",
"Disabled",
"Enabled if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled",
"Enabled if AWS > API Gateway > Enabled"
],
"default": "Enabled"
}

AWS > API Gateway > API Key > Active

Determine the action to take when an AWS API Gateway api key, based on the AWS > API Gateway > API Key > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API Key > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Active > Age

The age after which the AWS API Gateway api key is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API Key > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Active > Budget

The impact of the budget state on the active control. This policy allows you to force apiKeys to inactive based on the current budget state, as reflected in AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API Key > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Active > Last Modified

The number of days since the AWS API Gateway api key was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API Key > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Approved

Determine the action to take when an AWS API Gateway api key is not approved based on AWS > API Gateway > API Key > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Approved > Budget

The policy allows you to set api keys to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS API Gateway api key is not matched by the approved list, it will be subject to the action specified in the AWS > API Gateway > API Key > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Approved > Custom

Determine whether the AWS API Gateway api key is allowed to exist. This policy will be evaluated by the Approved control. If an AWS API Gateway api key is not approved, it will be subject to the action specified in the AWS > API Gateway > API Key > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > API Gateway > API Key > Approved > Regions

A list of AWS regions in which AWS API Gateway api keys are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS API Gateway api key is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > API Gateway > API Key > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > API Key > Approved > Usage

Determine whether the AWS API Gateway api key is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS API Gateway api key is not approved, it will be subject to the action specified in the AWS > API Gateway > API Key > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > API Gateway > Enabled"
}

AWS > API Gateway > API Key > CMDB

Configure whether to record and synchronize details for the AWS API Gateway api key into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > API Gateway > API Key > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > API Gateway > API Key > Regions

A list of AWS regions in which AWS API Gateway api keys are supported for use.

Any api keys in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > API Key > Tags

Determine the action to take when an AWS API Gateway api key tags are not updated based on the AWS > API Gateway > API Key > Tags > * policies.

The control ensure AWS API Gateway api key tags include tags defined in AWS > API Gateway > API Key > Tags > Template.

Tags not defined in API Key Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Tags > Template

The template is used to generate the keys and values for AWS API Gateway api key.

Tags not defined in API Key Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > API Gateway > API Key > Usage

Configure the number of AWS API Gateway api keys that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > API Gateway > API Key > Usage policy.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > API Gateway > API Key > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiKeyUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 500
}

AWS > API Gateway > API V2 > Active

Determine the action to take when an AWS API Gateway api v2, based on the AWS > API Gateway > API V2 > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2Active
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Active > Age

The age after which the AWS API Gateway api v2 is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2ActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Active > Budget

The impact of the budget state on the active control. This policy allows you to force apiV2s to inactive based on the current budget state, as reflected in AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2ActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Active > Last Modified

The number of days since the AWS API Gateway api v2 was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > API V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2ActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Approved

Determine the action to take when an AWS API Gateway api v2 is not approved based on AWS > API Gateway > API V2 > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2Approved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Approved > Budget

The policy allows you to set api v2s to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS API Gateway api v2 is not matched by the approved list, it will be subject to the action specified in the AWS > API Gateway > API V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2ApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Approved > Custom

Determine whether the AWS API Gateway api v2 is allowed to exist. This policy will be evaluated by the Approved control. If an AWS API Gateway api v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > API V2 > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2ApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Approved > Regions

A list of AWS regions in which AWS API Gateway api v2s are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS API Gateway api v2 is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > API Gateway > API V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2ApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > API V2 > Approved > Usage

Determine whether the AWS API Gateway api v2 is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS API Gateway api v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > API V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2ApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > API Gateway > Enabled"
}

AWS > API Gateway > API V2 > CMDB

Configure whether to record and synchronize details for the AWS API Gateway api v2 into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > API Gateway > API V2 > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2Cmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > API Gateway > API V2 > Regions

A list of AWS regions in which AWS API Gateway api v2s are supported for use.

Any api v2s in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2Regions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > API V2 > Tags

Determine the action to take when an AWS API Gateway api v2 tags are not updated based on the AWS > API Gateway > API V2 > Tags > * policies.

The control ensure AWS API Gateway api v2 tags include tags defined in AWS > API Gateway > API V2 > Tags > Template.

Tags not defined in API V2 Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2Tags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Tags > Template

The template is used to generate the keys and values for AWS API Gateway api v2.

Tags not defined in API V2 Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2TagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > API Gateway > API V2 > Usage

Configure the number of AWS API Gateway api v2s that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > API Gateway > API V2 > Usage policy.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2Usage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > API Gateway > API V2 > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiV2UsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 600
}

AWS > API Gateway > Approved Regions [Default]

A list of AWS regions in which AWS API Gateway resources are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy is the default value for all AWS API Gateway resources' Approved > Regions policies.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Authorizer > Active

Determine the action to take when an AWS API Gateway authorizer, based on the AWS > API Gateway > Authorizer > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Authorizer > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer > Active > Age

The age after which the AWS API Gateway authorizer is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Authorizer > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer > Active > Last Modified

The number of days since the AWS API Gateway authorizer was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Authorizer > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer > Approved

Determine the action to take when an AWS API Gateway authorizer is not approved based on AWS > API Gateway > Authorizer > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer > Approved > Custom

Determine whether the AWS API Gateway authorizer is allowed to exist. This policy will be evaluated by the Approved control. If an AWS API Gateway authorizer is not approved, it will be subject to the action specified in the AWS > API Gateway > Authorizer > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > API Gateway > Authorizer > Approved > Regions

A list of AWS regions in which AWS API Gateway authorizers are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS API Gateway authorizer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > API Gateway > Authorizer > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Authorizer > Approved > Usage

Determine whether the AWS API Gateway authorizer is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS API Gateway authorizer is not approved, it will be subject to the action specified in the AWS > API Gateway > Authorizer > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > API Gateway > Enabled"
}

AWS > API Gateway > Authorizer > CMDB

Configure whether to record and synchronize details for the AWS API Gateway authorizer into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > API Gateway > Authorizer > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > API Gateway > Authorizer > Regions

A list of AWS regions in which AWS API Gateway authorizers are supported for use.

Any authorizers in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Authorizer > Usage

Configure the number of AWS API Gateway authorizers that can be used for this api and the current consumption against the limit.

You can configure the behavior of the control with this AWS > API Gateway > Authorizer > Usage policy.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer > Usage > Limit

Maximum number of items that can be created for this api.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 10
}

AWS > API Gateway > Authorizer V2 > Active

Determine the action to take when an AWS API Gateway authorizer v2, based on the AWS > API Gateway > Authorizer V2 > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Authorizer V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2Active
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer V2 > Active > Age

The age after which the AWS API Gateway authorizer v2 is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Authorizer V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2ActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer V2 > Active > Last Modified

The number of days since the AWS API Gateway authorizer v2 was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Authorizer V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2ActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer V2 > Approved

Determine the action to take when an AWS API Gateway authorizer v2 is not approved based on AWS > API Gateway > Authorizer V2 > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2Approved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer V2 > Approved > Custom

Determine whether the AWS API Gateway authorizer v2 is allowed to exist. This policy will be evaluated by the Approved control. If an AWS API Gateway authorizer v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > Authorizer V2 > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2ApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > API Gateway > Authorizer V2 > Approved > Regions

A list of AWS regions in which AWS API Gateway authorizer v2s are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS API Gateway authorizer v2 is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > API Gateway > Authorizer V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2ApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Authorizer V2 > Approved > Usage

Determine whether the AWS API Gateway authorizer v2 is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS API Gateway authorizer v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > Authorizer V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2ApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > API Gateway > Enabled"
}

AWS > API Gateway > Authorizer V2 > CMDB

Configure whether to record and synchronize details for the AWS API Gateway authorizer v2 into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > API Gateway > Authorizer V2 > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2Cmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > API Gateway > Authorizer V2 > Regions

A list of AWS regions in which AWS API Gateway authorizer v2s are supported for use.

Any authorizer v2s in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2Regions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Authorizer V2 > Usage

Configure the number of AWS API Gateway authorizer v2s that can be used for this apiV2 and the current consumption against the limit.

You can configure the behavior of the control with this AWS > API Gateway > Authorizer V2 > Usage policy.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2Usage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > API Gateway > Authorizer V2 > Usage > Limit

Maximum number of items that can be created for this apiV2.

URI
tmod:@turbot/aws-apigateway#/policy/types/authorizerV2UsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 6000
}

AWS > API Gateway > Domain Name V2 > Active

Determine the action to take when an AWS API Gateway domain name v2, based on the AWS > API Gateway > Domain Name V2 > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Domain Name V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Active
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > API Gateway > Domain Name V2 > Active > Age

The age after which the AWS API Gateway domain name v2 is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Domain Name V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2ActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Domain Name V2 > Active > Last Modified

The number of days since the AWS API Gateway domain name v2 was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Domain Name V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2ActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Domain Name V2 > Approved

Determine the action to take when an AWS API Gateway domain name v2 is not approved based on AWS > API Gateway > Domain Name V2 > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Approved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > API Gateway > Domain Name V2 > Approved > Custom

Determine whether the AWS API Gateway domain name v2 is allowed to exist. This policy will be evaluated by the Approved control. If an AWS API Gateway domain name v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > Domain Name V2 > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2ApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > API Gateway > Domain Name V2 > Approved > Regions

A list of AWS regions in which AWS API Gateway domain name v2s are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS API Gateway domain name v2 is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > API Gateway > Domain Name V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2ApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Domain Name V2 > Approved > Usage

Determine whether the AWS API Gateway domain name v2 is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS API Gateway domain name v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > Domain Name V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2ApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > API Gateway > Enabled"
}

AWS > API Gateway > Domain Name V2 > CMDB

Configure whether to record and synchronize details for the AWS API Gateway domain name v2 into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > API Gateway > Domain Name V2 > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Cmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > API Gateway > Domain Name V2 > Regions

A list of AWS regions in which AWS API Gateway domain name v2s are supported for use.

Any domain name v2s in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Regions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Domain Name V2 > Tags

Determine the action to take when an AWS API Gateway domain name v2 tags are not updated based on the AWS > API Gateway > Domain Name V2 > Tags > * policies.

The control ensure AWS API Gateway domain name v2 tags include tags defined in AWS > API Gateway > Domain Name V2 > Tags > Template.

Tags not defined in Domain Name V2 Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Tags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > API Gateway > Domain Name V2 > Tags > Template

The template is used to generate the keys and values for AWS API Gateway domain name v2.

Tags not defined in Domain Name V2 Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2TagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > API Gateway > Domain Name V2 > Usage

Configure the number of AWS API Gateway domain name v2s that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > API Gateway > Domain Name V2 > Usage policy.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Usage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > API Gateway > Domain Name V2 > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-apigateway#/policy/types/domainNameV2UsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 120
}

AWS > API Gateway > Enabled

Configure whether the AWS API Gateway service is enabled. This will only affect Turbot managed User Roles and will allow the Turbot managed user to access AWS API Gateway service.

  • Enabled policy allows Turbot managed users to perform all the actions for the service
  • Enabled: Metadata Only policy allows Turbot managed users to perform only the metadata level actions for the service (like describe*, list*)

Note:

  • Disabled policy disables the service but does NOT disable the API for Turbot or SuperUsers
  • All the resource data stored in the Turbot CMDB is considered to be metadata
  • For more information related to permissions and grant levels, please check the documentation
URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayEnabled
Valid Value
[
"Enabled",
"Enabled: Metadata Only",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Enabled: Metadata Only",
"Disabled"
],
"example": [
"Enabled"
],
"default": "Disabled"
}

AWS > API Gateway > Integration V2 > Active

Determine the action to take when an AWS API Gateway integration v2, based on the AWS > API Gateway > Integration V2 > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Integration V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2Active
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > API Gateway > Integration V2 > Active > Age

The age after which the AWS API Gateway integration v2 is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Integration V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2ActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Integration V2 > Active > Last Modified

The number of days since the AWS API Gateway integration v2 was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > API Gateway > Integration V2 > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2ActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > API Gateway > Integration V2 > Approved

Determine the action to take when an AWS API Gateway integration v2 is not approved based on AWS > API Gateway > Integration V2 > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2Approved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > API Gateway > Integration V2 > Approved > Custom

Determine whether the AWS API Gateway integration v2 is allowed to exist. This policy will be evaluated by the Approved control. If an AWS API Gateway integration v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > Integration V2 > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2ApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > API Gateway > Integration V2 > Approved > Regions

A list of AWS regions in which AWS API Gateway integration v2s are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS API Gateway integration v2 is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > API Gateway > Integration V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2ApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Integration V2 > Approved > Usage

Determine whether the AWS API Gateway integration v2 is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS API Gateway integration v2 is not approved, it will be subject to the action specified in the AWS > API Gateway > Integration V2 > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2ApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > API Gateway > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > API Gateway > Enabled"
}

AWS > API Gateway > Integration V2 > CMDB

Configure whether to record and synchronize details for the AWS API Gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > API Gateway > > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2Cmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > API Gateway > Integration V2 > Regions

A list of AWS regions in which AWS API Gateway s are supported for use.

Any s in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2Regions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

AWS > API Gateway > Integration V2 > Usage

Configure the number of AWS API Gateway integration v2s that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > API Gateway > Integration V2 > Usage policy.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2Usage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > API Gateway > Integration V2 > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-apigateway#/policy/types/integrationV2UsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 300
}

AWS > API Gateway > Permissions

Configure whether permissions policies are in effect for AWS API Gateway.

This setting does not affect account level permissions (AWS/Admin, AWS/Owner, etc)

Note: The behavior of this policy depends on the value of AWS > Permissions.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayPermissions
Valid Value
[
"Enabled",
"Disabled",
"Enabled if AWS > API Gateway > Enabled & AWS > API Gateway > API Enabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled",
"Enabled if AWS > API Gateway > Enabled & AWS > API Gateway > API Enabled"
],
"example": [
"Enabled"
],
"default": "Enabled if AWS > API Gateway > Enabled & AWS > API Gateway > API Enabled"
}

AWS > API Gateway > Permissions > Levels

Define the permissions levels that can be used to grant access to an AWS account. Permissions levels defined will appear in the UI to assign access to Turbot users. This policy provides a default for Permissions > Levels in each service, however you can explicitly override the setting for each service if desired

URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayPermissionsLevels
Default Template Input
[
"{\n item: account {\n turbot{\n id\n }\n }\n}\n",
"{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"
]
Default Template
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
Schema
{
"type": "array",
"items": {
"type": "string",
"enum": [
"Metadata",
"ReadOnly",
"Operator",
"Admin",
"Owner"
]
}
}

AWS > API Gateway > Permissions > Levels > Modifiers

A map of AWS API to Turbot Permission Level used to customize Turbot's standard permissions. You can add, remove or redefine the mapping of AWS API operations to Turbot permissions levels here.

Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also added to ReadOnly, Operator and Admin. Modifier policies set here apply ONLY to the AWS level

example:
- &quot;glacier:createvault&quot;: admin
- &quot;glacier:ListVaults&quot;: metadata
- &quot;s3:DeleteBucket&quot;: none
URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayPermissionsLevelsModifiers

AWS > API Gateway > Permissions > Lockdown

URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayPermissionsLockdown
Targets

AWS > API Gateway > Permissions > Lockdown > API Boundary

Configure whether the AWS apiGateway API is enabled for all users and roles in turbot-managed boundary policies.

Note: Disabling the service disables the API for ALL users and roles, and Turbot will have no access to the API.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayPermissionsLockdownApiBoundary
Valid Value
[
"Enabled if AWS > API Gateway > API Enabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled if AWS > API Gateway > API Enabled"
],
"example": [
"Enabled if AWS > API Gateway > API Enabled"
],
"default": "Enabled if AWS > API Gateway > API Enabled"
}

AWS > API Gateway > Regions

A list of AWS regions in which AWS API Gateway resources are supported for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy is the default value for all AWS API Gateway resources' Regions policies.

URI
tmod:@turbot/aws-apigateway#/policy/types/apiGatewayRegionsDefault
Schema
{
"allOf": [
{
"$ref": "aws#/definitions/regionNameMatcherList"
},
{
"default": [
"af-south-1",
"ap-east-1",