Policy types for @turbot/aws-config
- AWS > Config > API Enabled
- AWS > Config > Approved Regions [Default]
- AWS > Config > Configuration Recorder > Active
- AWS > Config > Configuration Recorder > Active > Age
- AWS > Config > Configuration Recorder > Active > Last Modified
- AWS > Config > Configuration Recorder > Approved
- AWS > Config > Configuration Recorder > Approved > Custom
- AWS > Config > Configuration Recorder > Approved > Regions
- AWS > Config > Configuration Recorder > Approved > Usage
- AWS > Config > Configuration Recorder > CMDB
- AWS > Config > Configuration Recorder > Configured
- AWS > Config > Configuration Recorder > Configured > Claim Precedence
- AWS > Config > Configuration Recorder > Configured > Source
- AWS > Config > Configuration Recorder > Regions
- AWS > Config > Configuration Recording
- AWS > Config > Configuration Recording > Configuration Recorder
- AWS > Config > Configuration Recording > Configuration Recorder > Name
- AWS > Config > Configuration Recording > Configuration Recorder > Role
- AWS > Config > Configuration Recording > Configuration Recorder > Scope
- AWS > Config > Configuration Recording > Configuration Recorder > Scope > Global Regions
- AWS > Config > Configuration Recording > Configuration Recorder > Scope > Resource Types
- AWS > Config > Configuration Recording > Delivery Channel
- AWS > Config > Configuration Recording > Delivery Channel > Delivery Frequency
- AWS > Config > Configuration Recording > Delivery Channel > Name
- AWS > Config > Configuration Recording > Delivery Channel > S3 Bucket
- AWS > Config > Configuration Recording > Delivery Channel > S3 Key Prefix
- AWS > Config > Configuration Recording > Delivery Channel > SNS Topic
- AWS > Config > Configuration Recording > Enabled
- AWS > Config > Configuration Recording > Source
- AWS > Config > Delivery Channel > Active
- AWS > Config > Delivery Channel > Active > Age
- AWS > Config > Delivery Channel > Active > Last Modified
- AWS > Config > Delivery Channel > Approved
- AWS > Config > Delivery Channel > Approved > Custom
- AWS > Config > Delivery Channel > Approved > Regions
- AWS > Config > Delivery Channel > Approved > Usage
- AWS > Config > Delivery Channel > CMDB
- AWS > Config > Delivery Channel > Configured
- AWS > Config > Delivery Channel > Configured > Claim Precedence
- AWS > Config > Delivery Channel > Configured > Source
- AWS > Config > Delivery Channel > Regions
- AWS > Config > Enabled
- AWS > Config > Permissions
- AWS > Config > Permissions > Levels
- AWS > Config > Permissions > Levels > Modifiers
- AWS > Config > Permissions > Lockdown
- AWS > Config > Permissions > Lockdown > API Boundary
- AWS > Config > Regions
- AWS > Config > Rule > Active
- AWS > Config > Rule > Active > Age
- AWS > Config > Rule > Active > Last Modified
- AWS > Config > Rule > Approved
- AWS > Config > Rule > Approved > Custom
- AWS > Config > Rule > Approved > Regions
- AWS > Config > Rule > Approved > Usage
- AWS > Config > Rule > CMDB
- AWS > Config > Rule > Regions
- AWS > Config > Rule > Tags
- AWS > Config > Rule > Tags > Template
- AWS > Config > Rule > Usage
- AWS > Config > Rule > Usage > Limit
- AWS > Config > Tags Template [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-config
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-config
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-config
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-config
AWS > Config > API Enabled
Configure whether the AWS Config API is enabled.\n\nNote: Disabling the service disables the API for ALL users and roles, and Guardrails will have no access to the API.\n
[ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled"]{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled" ], "default": "Enabled"}AWS > Config > Approved Regions [Default]
A list of AWS regions in which AWS Config resources are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n\nThis policy is the default value for all AWS Config resources' Approved > Regions policies.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > Config > Configuration Recorder > Active
Determine the action to take when an AWS Config configuration recorder, based on the AWS > Config > Configuration Recorder > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Configuration Recorder > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > Config > Configuration Recorder > Active > Age
The age after which the AWS Config configuration recorder\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Configuration Recorder > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > Config > Configuration Recorder > Active > Last Modified
The number of days since the AWS Config configuration recorder\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Configuration Recorder > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > Config > Configuration Recorder > Approved
Determine the action to take when an AWS Config configuration recorder is not approved based on AWS > Config > Configuration Recorder > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > Config > Configuration Recorder > Approved > Custom
Determine whether the AWS Config configuration recorder is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS Config configuration recorder is not approved, it will be subject to the action specified in the AWS > Config > Configuration Recorder > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > Config > Configuration Recorder > Approved > Regions
A list of AWS regions in which AWS Config configuration recorders are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS Config configuration recorder is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > Config > Configuration Recorder > Approved policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-config#/policy/types/configApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > Config > Configuration Recorder > Approved > Usage
Determine whether the AWS Config configuration recorder is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS Config configuration recorder is not approved, it will be subject to the action specified in the AWS > Config > Configuration Recorder > Approved policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > Config > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > Config > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > Config > Enabled"}AWS > Config > Configuration Recorder > CMDB
Configure whether to record and synchronize details for the AWS Config configuration recorder into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > Config > Configuration Recorder > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > Config > Configuration Recorder > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > Config > Configuration Recorder > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > Config > Configuration Recorder > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Config > Configuration Recorder > Regions
A list of AWS regions in which AWS Config configuration recorders are supported for use.\n\nAny configuration recorders in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > Config > Configuration Recording
Configure Configuration Recording in AWS Config.\nThe AWS Config Configuration Recording features allows you to continually monitor\nand record changes resources. The Configuration Recorder provides a complete change\nhistory for monitored resources. The Configuration Recording stack can be used to make sure recording is enabled and\nconfiguration history is being delivered to S3, and optionally SNS.\n
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}AWS > Config > Configuration Recording > Configuration Recorder
AWS > Config > Configuration Recording > Configuration Recorder > Name
Name of the Configuration Recorder\n
{ "type": "string", "default": "default", "example": "default"}AWS > Config > Configuration Recording > Configuration Recorder > Role
The ARN of the IAM role that AWS Config will assume. The default will\nuse the role created in AWS > Guardrails > Service Roles > AWS Config.\nIf you choose to use a different role, note that it:\n- must allow the config service to assume the role in its trust policy\n- requires PutObject, GetBucketAcl on the bucket\n- requires publish on the SNS topic\n- Needs describe/get/list access to any resources types being recorded\n
[ "{\n account {\n turbot {\n id\n }\n }\n region {\n turbot {\n custom {\n aws {\n accountId\n }\n }\n }\n }\n}\n", "{\n roleName: policy(uri:\"aws#/policy/types/serviceRolesConfigurationRecordingName\", resourceId: \"{{ $.account.turbot.id }}\")\n rolePath: policy(uri:\"aws#/policy/types/serviceRolesNamePath\", resourceId: \"{{ $.account.turbot.id }}\")\n region {\n turbot {\n custom {\n aws {\n accountId\n partition\n }\n }\n }\n }\n}\n"]"arn:{{ $.region.turbot.custom.aws.partition }}:iam::{{ $.region.turbot.custom.aws.accountId }}:role{{ $.rolePath }}{{ $.roleName }}"{ "type": "string", "example": "arn:aws:iam::123456789012:role/config-ConfigRole-A1B2C3D4E5F6"}AWS > Config > Configuration Recording > Configuration Recorder > Scope
The scope of resources that should be recorded.\nIf you select "Only resources specified in Scope > Resource Types", you must\nspecify the resource types you wish to record in the Scope > Resource Types\nsub-policy, and the Global Regions policy will be ignored. If you select "All supported resources" then the\nScope > Resource Types sub-policy will be ignored.\n
[ "All Supported resources", "Only resources specified in `Scope > Resource Types`"]{ "type": "string", "enum": [ "All Supported resources", "Only resources specified in `Scope > Resource Types`" ], "default": "All Supported resources"}AWS > Config > Configuration Recording > Configuration Recorder > Scope > Global Regions
A list of regions where global resources (such as IAM) will be recorded.\nNote that if the parent Scope policy is set to "Only resources specified in Scope > Resource Types" then this policy will be ignored.\n
AWS > Config > Configuration Recording > Configuration Recorder > Scope > Resource Types
A list that specifies the types of AWS resources for which AWS Config records\nconfiguration changes. Note that if the parent Scope policy is set to "All supported resources"\nthen this policy will be ignored.Resources types can be found can be found in the AWS Config Recording Documentation.\nExample -->\n - AWS::EC2::EIP\n - AWS::EC2::Instance\n - AWS::EC2::NetworkAcl\n - AWS::EC2::SecurityGroup\n - AWS::CloudTrail::Trail\n - AWS::EC2::Volume\n - AWS::EC2::VPC\n - AWS::IAM::User\n - AWS::IAM::Policy\n
AWS > Config > Configuration Recording > Delivery Channel
AWS > Config > Configuration Recording > Delivery Channel > Delivery Frequency
The frequency with which AWS Config delivers configuration snapshots.
[ "Hourly", "Every 3 Hours", "Every 6 Hours", "Every 12 Hours", "Every 24 Hours"]{ "type": "string", "enum": [ "Hourly", "Every 3 Hours", "Every 6 Hours", "Every 12 Hours", "Every 24 Hours" ], "default": "Hourly"}AWS > Config > Configuration Recording > Delivery Channel > Name
Name of the AWS Config Delivery Channel\n
{ "type": "string", "default": "default", "example": "default"}AWS > Config > Configuration Recording > Delivery Channel > S3 Bucket
The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files.\nAWS Config must write to S3, thus this policy is required. The S3 bucket must already exist (the stack will not create it) and the CloudTrail\nservice must be allowed write access. The bucket can reside in any region of any account.\n
[ "{\n region {\n turbot {\n id\n }\n }\n}\n", "{\n bucketName: policy(uri: \"aws#/policy/types/loggingBucketDefault\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"]"{{ $.bucketName }}"{ "type": "string"}AWS > Config > Configuration Recording > Delivery Channel > S3 Key Prefix
An S3 key prefix (path) within the S3 bucket to which AWS Config delivers\nconfiguration snapshots and configuration history files.\n
{ "type": "string", "maxLength": 200, "default": "", "example": "turbot_"}AWS > Config > Configuration Recording > Delivery Channel > SNS Topic
The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config\nsends notifications about configuration changes.\nIf no topic is specified (the SNS Topic policy is blank), then SNS forwarding will be disabled.\nNote that the SNS topic will not be created in this stack - it must already exist.\nThe SNS topic policy must allow Config to publish to the topic.\n
{ "type": "string", "default": ""}AWS > Config > Configuration Recording > Enabled
The recording status of the configuration recorder.
[ "Enabled: Recording on", "Disabled: Recording off"]{ "type": "string", "enum": [ "Enabled: Recording on", "Disabled: Recording off" ], "example": [ "Enabled: Recording on" ], "default": "Enabled: Recording on"}AWS > Config > Configuration Recording > Source
The Terraform source used to configure the Configuration Recorder.\nThis policy is read-only, as the stack source is generated by Guardrails.\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Config > Delivery Channel > Active
Determine the action to take when an AWS Config delivery channel, based on the AWS > Config > Delivery Channel > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Delivery Channel > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > Config > Delivery Channel > Active > Age
The age after which the AWS Config delivery channel\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Delivery Channel > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > Config > Delivery Channel > Active > Last Modified
The number of days since the AWS Config delivery channel\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Delivery Channel > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > Config > Delivery Channel > Approved
Determine the action to take when an AWS Config delivery channel is not approved based on AWS > Config > Delivery Channel > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > Config > Delivery Channel > Approved > Custom
Determine whether the AWS Config delivery channel is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS Config delivery channel is not approved, it will be subject to the action specified in the AWS > Config > Delivery Channel > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > Config > Delivery Channel > Approved > Regions
A list of AWS regions in which AWS Config delivery channels are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS Config delivery channel is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > Config > Delivery Channel > Approved policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-config#/policy/types/configApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > Config > Delivery Channel > Approved > Usage
Determine whether the AWS Config delivery channel is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS Config delivery channel is not approved, it will be subject to the action specified in the AWS > Config > Delivery Channel > Approved policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > Config > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > Config > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > Config > Enabled"}AWS > Config > Delivery Channel > CMDB
Configure whether to record and synchronize details for the AWS Config delivery channel into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > Config > Delivery Channel > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > Config > Delivery Channel > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > Config > Delivery Channel > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > Config > Delivery Channel > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Config > Delivery Channel > Regions
A list of AWS regions in which AWS Config delivery channels are supported for use.\n\nAny delivery channels in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > Config > Enabled
Configure whether the AWS Config service is enabled.\nThis will only affect Guardrails managed User Roles and will allow the Guardrails managed user to access AWS Config service.\n - Enabled policy allows Guardrails managed users to perform all the actions for the service\n - Enabled: Metadata Only policy allows Guardrails managed users to perform only the metadata level actions for the service (like describe*, list*)\n\nNote:\n - Disabled policy disables the service but does NOT disable the API for Guardrails or SuperUsers\n - All the resource data stored in the Guardrails CMDB is considered to be metadata\n - For more information related to permissions and grant levels, please check the documentation\n
[ "Enabled", "Enabled: Metadata Only", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}AWS > Config > Permissions
Configure whether permissions policies are in effect for AWS Config.\n\nThis setting does not affect account level permissions (AWS/Admin, AWS/Owner, etc)\n\nNote: The behavior of this policy depends on the value of AWS > Permissions.\n
[ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled & AWS > Config > API Enabled"]{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > Config > Enabled & AWS > Config > API Enabled" ], "example": [ "Enabled" ], "default": "Enabled if AWS > Config > Enabled & AWS > Config > API Enabled"}AWS > Config > Permissions > Levels
Define the permissions levels that can be used to grant access to an AWS account.\nPermissions levels defined will appear in the UI to assign access to Guardrails users.\nThis policy provides a default for Permissions > Levels in each service,\nhowever you can explicitly override the setting for each service if desired\n
[ "{\n item: account {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyType:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}AWS > Config > Permissions > Levels > Modifiers
A map of AWS API to Guardrails Permission Level used to customize Guardrails' standard permissions.\nYou can add, remove or redefine the mapping of AWS API operations to Guardrails permissions levels here.\n\nNote: Modifiers are cumulative - if you add a permission to the Metadata level, it is also added to ReadOnly, Operator and Admin.\nModifier policies set here apply ONLY to the AWS level\n\n\nexample:\n - "glacier:createvault": admin\n - "glacier:ListVaults": metadata\n - "s3:DeleteBucket": none\n\n
AWS > Config > Permissions > Lockdown
AWS > Config > Permissions > Lockdown > API Boundary
Configure whether the AWS config API is enabled for all users and roles in guardrails-managed boundary policies.\n\nNote: Disabling the service disables the API for ALL users and roles, and Guardrails will have no access to the API.\n
[ "Enabled if AWS > Config > API Enabled"]{ "type": "string", "enum": [ "Enabled if AWS > Config > API Enabled" ], "example": [ "Enabled if AWS > Config > API Enabled" ], "default": "Enabled if AWS > Config > API Enabled"}AWS > Config > Regions
A list of AWS regions in which AWS Config resources are supported for use.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n\nThis policy is the default value for all AWS Config resources' Regions policies.\n
{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "cn-north-1", "cn-northwest-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}AWS > Config > Rule > Active
Determine the action to take when an AWS Config rule, based on the AWS > Config > Rule > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Rule > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > Config > Rule > Active > Age
The age after which the AWS Config rule\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Rule > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > Config > Rule > Active > Last Modified
The number of days since the AWS Config rule\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > Config > Rule > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > Config > Rule > Approved
Determine the action to take when an AWS Config rule is not approved based on AWS > Config > Rule > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > Config > Rule > Approved > Custom
Determine whether the AWS Config rule is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS Config rule is not approved, it will be subject to the action specified in the AWS > Config > Rule > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > Config > Rule > Approved > Regions
A list of AWS regions in which AWS Config rules are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS Config rule is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > Config > Rule > Approved policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-config#/policy/types/configApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > Config > Rule > Approved > Usage
Determine whether the AWS Config rule is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS Config rule is not approved, it will be subject to the action specified in the AWS > Config > Rule > Approved policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > Config > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > Config > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > Config > Enabled"}AWS > Config > Rule > CMDB
Configure whether to record and synchronize details for the AWS Config rule into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > Config > Rule > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > Config > Rule > Regions
A list of AWS regions in which AWS Config rules are supported for use.\n\nAny rules in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > Config > Rule > Tags
Determine the action to take when an AWS Config rule tags are not updated based on the AWS > Config > Rule > Tags > * policies.\n\nThe control ensure AWS Config rule tags include tags defined in AWS > Config > Rule > Tags > Template.\n\nTags not defined in Rule Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > Config > Rule > Tags > Template
The template is used to generate the keys and values for AWS Config rule.\n\nTags not defined in Rule Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-config#/policy/types/configTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > Config > Rule > Usage
Configure the number of AWS Config rules that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > Config > Rule > Usage policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > Config > Rule > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 150}AWS > Config > Tags Template [Default]
A template used to generate the keys and values for AWS Config resources.\n\nBy default, all Config resource Tags > Template policies will use this value.\n
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws#/policy/types/defaultTagsTemplate\") {\n value\n }\n}\n""{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-config
The CloudWatch Events event pattern used by the AWS Config module to specify\nwhich events to forward to the Guardrails Event Handlers.\n
{ "type": "array", "items": { "type": "object" }}AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-config
A read-only policy generated by Guardrails that lists the APIs that\nshould be added to the guardrails-managed (hard) boundary policy,\nthereby enabling them to be assigned to users and roles.\nThis value will change depending on the value of the value of the\nAWS > Config > Permissions > Lockdown > API Boundary policy\n
{ "type": "array"}AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-config
A calculated policy that Guardrails uses to create a compiled list of ALL permissions for AWS Config\nthat is used as input to the stack that manages the Guardrails IAM permissions objects.\n
AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-config
A calculated policy that Guardrails uses to create a compiled list of ALL permissions for AWS Config\nthat is used as input to the control that manages the IAM stack.\n