Policy types for @turbot/aws-config
- AWS > Config > API Enabled
- AWS > Config > Approved Regions [Default]
- AWS > Config > Configuration Recorder > Active
- AWS > Config > Configuration Recorder > Active > Age
- AWS > Config > Configuration Recorder > Active > Last Modified
- AWS > Config > Configuration Recorder > Approved
- AWS > Config > Configuration Recorder > Approved > Custom
- AWS > Config > Configuration Recorder > Approved > Regions
- AWS > Config > Configuration Recorder > Approved > Usage
- AWS > Config > Configuration Recorder > CMDB
- AWS > Config > Configuration Recorder > Configured
- AWS > Config > Configuration Recorder > Configured > Claim Precedence
- AWS > Config > Configuration Recorder > Configured > Source
- AWS > Config > Configuration Recorder > Regions
- AWS > Config > Configuration Recording
- AWS > Config > Configuration Recording > Configuration Recorder
- AWS > Config > Configuration Recording > Configuration Recorder > Name
- AWS > Config > Configuration Recording > Configuration Recorder > Role
- AWS > Config > Configuration Recording > Configuration Recorder > Scope
- AWS > Config > Configuration Recording > Configuration Recorder > Scope > Global Regions
- AWS > Config > Configuration Recording > Configuration Recorder > Scope > Resource Types
- AWS > Config > Configuration Recording > Delivery Channel
- AWS > Config > Configuration Recording > Delivery Channel > Delivery Frequency
- AWS > Config > Configuration Recording > Delivery Channel > Name
- AWS > Config > Configuration Recording > Delivery Channel > S3 Bucket
- AWS > Config > Configuration Recording > Delivery Channel > S3 Key Prefix
- AWS > Config > Configuration Recording > Delivery Channel > SNS Topic
- AWS > Config > Configuration Recording > Enabled
- AWS > Config > Configuration Recording > Source
- AWS > Config > Delivery Channel > Active
- AWS > Config > Delivery Channel > Active > Age
- AWS > Config > Delivery Channel > Active > Last Modified
- AWS > Config > Delivery Channel > Approved
- AWS > Config > Delivery Channel > Approved > Custom
- AWS > Config > Delivery Channel > Approved > Regions
- AWS > Config > Delivery Channel > Approved > Usage
- AWS > Config > Delivery Channel > CMDB
- AWS > Config > Delivery Channel > Configured
- AWS > Config > Delivery Channel > Configured > Claim Precedence
- AWS > Config > Delivery Channel > Configured > Source
- AWS > Config > Delivery Channel > Regions
- AWS > Config > Enabled
- AWS > Config > Permissions
- AWS > Config > Permissions > Levels
- AWS > Config > Permissions > Levels > Modifiers
- AWS > Config > Permissions > Lockdown
- AWS > Config > Permissions > Lockdown > API Boundary
- AWS > Config > Regions
- AWS > Config > Rule > Active
- AWS > Config > Rule > Active > Age
- AWS > Config > Rule > Active > Last Modified
- AWS > Config > Rule > Approved
- AWS > Config > Rule > Approved > Custom
- AWS > Config > Rule > Approved > Regions
- AWS > Config > Rule > Approved > Usage
- AWS > Config > Rule > CMDB
- AWS > Config > Rule > Regions
- AWS > Config > Rule > Tags
- AWS > Config > Rule > Tags > Template
- AWS > Config > Rule > Usage
- AWS > Config > Rule > Usage > Limit
- AWS > Config > Tags Template [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-config
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-config
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-config
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-config
AWS > Config > API Enabled
Configure whether the AWS Config API is enabled.
Note: Disabling the service disables the API for ALL users and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-config#/policy/types/configApiEnabled
[ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled" ], "default": "Enabled"}
AWS > Config > Approved Regions [Default]
A list of AWS regions in which AWS Config resources are approved for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all AWS Config resources' Approved > Regions policies.
tmod:@turbot/aws-config#/policy/types/configApprovedRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > Config > Configuration Recorder > Active
Determine the action to take when an AWS Config configuration recorder, based on the AWS > Config > Configuration Recorder > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Configuration Recorder > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/configurationRecorderActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > Config > Configuration Recorder > Active > Age
The age after which the AWS Config configuration recorder
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Configuration Recorder > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/configurationRecorderActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > Config > Configuration Recorder > Active > Last Modified
The number of days since the AWS Config configuration recorder
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Configuration Recorder > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/configurationRecorderActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > Config > Configuration Recorder > Approved
Determine the action to take when an AWS Config configuration recorder is not approved based on AWS > Config > Configuration Recorder > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/configurationRecorderApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > Config > Configuration Recorder > Approved > Custom
Determine whether the AWS Config configuration recorder is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS Config configuration recorder is not approved, it will be subject to the action specified in the AWS > Config > Configuration Recorder > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-config#/policy/types/configurationRecorderApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > Config > Configuration Recorder > Approved > Regions
A list of AWS regions in which AWS Config configuration recorders are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS Config configuration recorder is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > Config > Configuration Recorder > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/configurationRecorderApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-config#/policy/types/configApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > Config > Configuration Recorder > Approved > Usage
Determine whether the AWS Config configuration recorder is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS Config configuration recorder is not approved, it will be subject to the action specified in the AWS > Config > Configuration Recorder > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/configurationRecorderApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > Config > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > Config > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > Config > Enabled"}
AWS > Config > Configuration Recorder > CMDB
Configure whether to record and synchronize details for the AWS Config configuration recorder into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > Config > Configuration Recorder > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-config#/policy/types/configurationRecorderCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > Config > Configuration Recorder > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-config#/policy/types/configurationRecorderConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > Config > Configuration Recorder > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-config#/policy/types/configurationRecorderConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > Config > Configuration Recorder > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-config#/policy/types/configurationRecorderConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Config > Configuration Recorder > Regions
A list of AWS regions in which AWS Config configuration recorders are supported for use.
Any configuration recorders in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-config#/policy/types/configurationRecorderRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > Config > Configuration Recording
Configure Configuration Recording in AWS Config.
The AWS Config Configuration Recording features allows you to continually monitor
and record changes resources. The Configuration Recorder provides a complete change
history for monitored resources. The Configuration Recording stack can be used to make sure recording is enabled and
configuration history is being delivered to S3, and optionally SNS.
tmod:@turbot/aws-config#/policy/types/configurationRecording
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}
AWS > Config > Configuration Recording > Configuration Recorder
tmod:@turbot/aws-config#/policy/types/configurationRecorder
AWS > Config > Configuration Recording > Configuration Recorder > Name
Name of the Configuration Recorder
tmod:@turbot/aws-config#/policy/types/configurationRecorderName
{ "type": "string", "default": "default", "example": "default"}
AWS > Config > Configuration Recording > Configuration Recorder > Role
The ARN of the IAM role that AWS Config will assume. The default will
use the role created in AWS > Guardrails > Service Roles > AWS Config
.
If you choose to use a different role, note that it:
- must allow the config service to assume the role in its trust policy
- requires PutObject, GetBucketAcl on the bucket
- requires publish on the SNS topic
- Needs describe/get/list access to any resources types being recorded
tmod:@turbot/aws-config#/policy/types/configurationRecorderRole
[ "{\n account {\n turbot {\n id\n }\n }\n region {\n turbot {\n custom {\n aws {\n accountId\n }\n }\n }\n }\n}\n", "{\n roleName: policy(uri:\"aws#/policy/types/serviceRolesConfigurationRecordingName\", resourceId: \"{{ $.account.turbot.id }}\")\n rolePath: policy(uri:\"aws#/policy/types/serviceRolesNamePath\", resourceId: \"{{ $.account.turbot.id }}\")\n region {\n turbot {\n custom {\n aws {\n accountId\n partition\n }\n }\n }\n }\n}\n"]
"arn:{{ $.region.turbot.custom.aws.partition }}:iam::{{ $.region.turbot.custom.aws.accountId }}:role{{ $.rolePath }}{{ $.roleName }}"
{ "type": "string", "example": "arn:aws:iam::123456789012:role/config-ConfigRole-A1B2C3D4E5F6"}
AWS > Config > Configuration Recording > Configuration Recorder > Scope
The scope of resources that should be recorded.
If you select "Only resources specified in Scope > Resource Types
", you must
specify the resource types you wish to record in the Scope > Resource Types
sub-policy, and the Global Regions
policy will be ignored. If you select "All supported resources" then theScope > Resource Types
sub-policy will be ignored.
tmod:@turbot/aws-config#/policy/types/configurationRecorderScope
[ "All Supported resources", "Only resources specified in `Scope > Resource Types`"]
{ "type": "string", "enum": [ "All Supported resources", "Only resources specified in `Scope > Resource Types`" ], "default": "All Supported resources"}
AWS > Config > Configuration Recording > Configuration Recorder > Scope > Global Regions
A list of regions where global resources (such as IAM) will be recorded.
Note that if the parent Scope
policy is set to "Only resources specified in Scope > Resource Types
" then this policy will be ignored.
tmod:@turbot/aws-config#/policy/types/configurationRecorderScopeGlobalRegions
AWS > Config > Configuration Recording > Configuration Recorder > Scope > Resource Types
A list that specifies the types of AWS resources for which AWS Config records
configuration changes. Note that if the parent Scope
policy is set to "All supported resources"
then this policy will be ignored.Resources types can be found can be found in the AWS Config Recording Documentation.
Example -->
- AWS::EC2::EIP
- AWS::EC2::Instance
- AWS::EC2::NetworkAcl
- AWS::EC2::SecurityGroup
- AWS::CloudTrail::Trail
- AWS::EC2::Volume
- AWS::EC2::VPC
- AWS::IAM::User
- AWS::IAM::Policy
tmod:@turbot/aws-config#/policy/types/configurationRecorderScopeResourceTypes
AWS > Config > Configuration Recording > Delivery Channel
tmod:@turbot/aws-config#/policy/types/deliveryChannel
AWS > Config > Configuration Recording > Delivery Channel > Delivery Frequency
The frequency with which AWS Config delivers configuration snapshots.
tmod:@turbot/aws-config#/policy/types/deliveryChannelDeliveryFrequency
[ "Hourly", "Every 3 Hours", "Every 6 Hours", "Every 12 Hours", "Every 24 Hours"]
{ "type": "string", "enum": [ "Hourly", "Every 3 Hours", "Every 6 Hours", "Every 12 Hours", "Every 24 Hours" ], "default": "Hourly"}
AWS > Config > Configuration Recording > Delivery Channel > Name
Name of the AWS Config Delivery Channel
tmod:@turbot/aws-config#/policy/types/deliveryChannelName
{ "type": "string", "default": "default", "example": "default"}
AWS > Config > Configuration Recording > Delivery Channel > S3 Bucket
The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files.
AWS Config must write to S3, thus this policy is required. The S3 bucket must already exist (the stack will not create it) and the CloudTrail
service must be allowed write access. The bucket can reside in any region of any account.
tmod:@turbot/aws-config#/policy/types/deliveryChannelS3Bucket
[ "{\n region {\n turbot {\n id\n }\n }\n}\n", "{\n bucketName: policy(uri: \"aws#/policy/types/loggingBucketDefault\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"]
"{{ $.bucketName }}"
{ "type": "string"}
AWS > Config > Configuration Recording > Delivery Channel > S3 Key Prefix
An S3 key prefix (path) within the S3 bucket to which AWS Config delivers
configuration snapshots and configuration history files.
tmod:@turbot/aws-config#/policy/types/deliveryChannelS3BucketPrefix
{ "type": "string", "maxLength": 200, "default": "", "example": "turbot_"}
AWS > Config > Configuration Recording > Delivery Channel > SNS Topic
The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config
sends notifications about configuration changes.
If no topic is specified (the SNS Topic
policy is blank), then SNS forwarding will be disabled.
Note that the SNS topic will not be created in this stack - it must already exist.
The SNS topic policy must allow Config to publish to the topic.
tmod:@turbot/aws-config#/policy/types/deliveryChannelSnsTopic
{ "type": "string", "default": ""}
AWS > Config > Configuration Recording > Enabled
The recording status of the configuration recorder.
tmod:@turbot/aws-config#/policy/types/configurationRecordingEnabled
[ "Enabled: Recording on", "Disabled: Recording off"]
{ "type": "string", "enum": [ "Enabled: Recording on", "Disabled: Recording off" ], "example": [ "Enabled: Recording on" ], "default": "Enabled: Recording on"}
AWS > Config > Configuration Recording > Source
The Terraform source used to configure the Configuration Recorder.
This policy is read-only, as the stack source is generated by Guardrails.
tmod:@turbot/aws-config#/policy/types/configurationRecorderSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Config > Delivery Channel > Active
Determine the action to take when an AWS Config delivery channel, based on the AWS > Config > Delivery Channel > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Delivery Channel > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/deliveryChannelActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > Config > Delivery Channel > Active > Age
The age after which the AWS Config delivery channel
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Delivery Channel > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/deliveryChannelActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > Config > Delivery Channel > Active > Last Modified
The number of days since the AWS Config delivery channel
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Delivery Channel > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/deliveryChannelActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > Config > Delivery Channel > Approved
Determine the action to take when an AWS Config delivery channel is not approved based on AWS > Config > Delivery Channel > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/deliveryChannelApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > Config > Delivery Channel > Approved > Custom
Determine whether the AWS Config delivery channel is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS Config delivery channel is not approved, it will be subject to the action specified in the AWS > Config > Delivery Channel > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-config#/policy/types/deliveryChannelApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > Config > Delivery Channel > Approved > Regions
A list of AWS regions in which AWS Config delivery channels are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS Config delivery channel is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > Config > Delivery Channel > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/deliveryChannelApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-config#/policy/types/configApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > Config > Delivery Channel > Approved > Usage
Determine whether the AWS Config delivery channel is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS Config delivery channel is not approved, it will be subject to the action specified in the AWS > Config > Delivery Channel > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/deliveryChannelApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > Config > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > Config > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > Config > Enabled"}
AWS > Config > Delivery Channel > CMDB
Configure whether to record and synchronize details for the AWS Config delivery channel into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > Config > Delivery Channel > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-config#/policy/types/deliveryChannelCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > Config > Delivery Channel > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-config#/policy/types/deliveryChannelConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > Config > Delivery Channel > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-config#/policy/types/deliveryChannelConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > Config > Delivery Channel > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-config#/policy/types/deliveryChannelConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Config > Delivery Channel > Regions
A list of AWS regions in which AWS Config delivery channels are supported for use.
Any delivery channels in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-config#/policy/types/deliveryChannelRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > Config > Enabled
Configure whether the AWS Config service is enabled.
This will only affect Guardrails managed User Roles and will allow the Guardrails managed user to access AWS Config service.
- Enabled
policy allows Guardrails managed users to perform all the actions for the service
- Enabled: Metadata Only
policy allows Guardrails managed users to perform only the metadata level actions for the service (like describe*
, list*
)
Note:
- Disabled
policy disables the service but does NOT disable the API for Guardrails or SuperUsers
- All the resource data stored in the Guardrails CMDB is considered to be metadata
- For more information related to permissions and grant levels, please check the documentation
tmod:@turbot/aws-config#/policy/types/configEnabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
AWS > Config > Permissions
Configure whether permissions policies are in effect for AWS Config.
This setting does not affect account level permissions (AWS/Admin, AWS/Owner, etc)
Note: The behavior of this policy depends on the value of AWS > Permissions.
tmod:@turbot/aws-config#/policy/types/configPermissions
[ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled & AWS > Config > API Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled & AWS > Config > API Enabled" ], "example": [ "Enabled" ], "default": "Enabled if AWS > Config > Enabled & AWS > Config > API Enabled"}
AWS > Config > Permissions > Levels
Define the permissions levels that can be used to grant access to an AWS account.
Permissions levels defined will appear in the UI to assign access to Guardrails users.
This policy provides a default for Permissions > Levels in each service,
however you can explicitly override the setting for each service if desired
tmod:@turbot/aws-config#/policy/types/configPermissionsLevels
[ "{\n item: account {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyType:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
AWS > Config > Permissions > Levels > Modifiers
A map of AWS API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of AWS API operations to Guardrails permissions levels here.
Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also added to ReadOnly, Operator and Admin.
Modifier policies set here apply ONLY to the AWS level<br />example:<br /> - "glacier:createvault": admin<br /> - "glacier:ListVaults": metadata<br /> - "s3:DeleteBucket": none<br />
tmod:@turbot/aws-config#/policy/types/configPermissionsLevelsModifiers
AWS > Config > Permissions > Lockdown
tmod:@turbot/aws-config#/policy/types/configPermissionsLockdown
AWS > Config > Permissions > Lockdown > API Boundary
Configure whether the AWS config API is enabled for all users and roles in guardrails-managed boundary policies.
Note: Disabling the service disables the API for ALL users and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-config#/policy/types/configPermissionsLockdownApiBoundary
[ "Enabled if AWS > Config > API Enabled"]
{ "type": "string", "enum": [ "Enabled if AWS > Config > API Enabled" ], "example": [ "Enabled if AWS > Config > API Enabled" ], "default": "Enabled if AWS > Config > API Enabled"}
AWS > Config > Regions
A list of AWS regions in which AWS Config resources are supported for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all AWS Config resources' Regions policies.
tmod:@turbot/aws-config#/policy/types/configRegionsDefault
{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "cn-north-1", "cn-northwest-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}
AWS > Config > Rule > Active
Determine the action to take when an AWS Config rule, based on the AWS > Config > Rule > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Rule > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/ruleActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > Config > Rule > Active > Age
The age after which the AWS Config rule
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Rule > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/ruleActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > Config > Rule > Active > Last Modified
The number of days since the AWS Config rule
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > Config > Rule > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-config#/policy/types/ruleActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > Config > Rule > Approved
Determine the action to take when an AWS Config rule is not approved based on AWS > Config > Rule > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/ruleApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > Config > Rule > Approved > Custom
Determine whether the AWS Config rule is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS Config rule is not approved, it will be subject to the action specified in the AWS > Config > Rule > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-config#/policy/types/ruleApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > Config > Rule > Approved > Regions
A list of AWS regions in which AWS Config rules are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS Config rule is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > Config > Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/ruleApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-config#/policy/types/configApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > Config > Rule > Approved > Usage
Determine whether the AWS Config rule is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS Config rule is not approved, it will be subject to the action specified in the AWS > Config > Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-config#/policy/types/ruleApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > Config > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > Config > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > Config > Enabled"}
AWS > Config > Rule > CMDB
Configure whether to record and synchronize details for the AWS Config rule into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > Config > Rule > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-config#/policy/types/ruleCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > Config > Rule > Regions
A list of AWS regions in which AWS Config rules are supported for use.
Any rules in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-config#/policy/types/ruleRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > Config > Rule > Tags
Determine the action to take when an AWS Config rule tags are not updated based on the AWS > Config > Rule > Tags > *
policies.
The control ensure AWS Config rule tags include tags defined in AWS > Config > Rule > Tags > Template
.
Tags not defined in Rule Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-config#/policy/types/ruleTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > Config > Rule > Tags > Template
The template is used to generate the keys and values for AWS Config rule.
Tags not defined in Rule Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-config#/policy/types/ruleTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > Config > Rule > Usage
Configure the number of AWS Config rules that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > Config > Rule > Usage
policy.
tmod:@turbot/aws-config#/policy/types/ruleUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > Config > Rule > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-config#/policy/types/ruleUsageLimit
{ "type": "integer", "minimum": 0, "default": 150}
AWS > Config > Tags Template [Default]
A template used to generate the keys and values for AWS Config resources.
By default, all Config resource Tags > Template policies will use this value.
tmod:@turbot/aws-config#/policy/types/configTagsTemplate
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws#/policy/types/defaultTagsTemplate\") {\n value\n }\n}\n"
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-config
The CloudWatch Events event pattern used by the AWS Config module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws-config#/policy/types/configCustomEventPatterns
{ "type": "array", "items": { "type": "object" }}
AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-config
A read-only policy generated by Guardrails that lists the APIs that
should be added to the guardrails-managed (hard) boundary policy,
thereby enabling them to be assigned to users and roles.
This value will change depending on the value of the value of theAWS > Config > Permissions > Lockdown > API Boundary
policy
tmod:@turbot/aws-config#/policy/types/awsCompiledApiBoundary
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-config
A calculated policy that Guardrails uses to create a compiled list of ALL permissions for AWS Config
that is used as input to the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-config#/policy/types/awsLevelsCompiled
AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-config
A calculated policy that Guardrails uses to create a compiled list of ALL permissions for AWS Config
that is used as input to the control that manages the IAM stack.
tmod:@turbot/aws-config#/policy/types/awsCompiledServicePermissions