Product logo
DocsBlogPricing

@turbot/aws-ec2

The aws-ec2 mod contains resource, control and policy definitions for AWS EC2 service.

Version
5.40.0
Released On
Apr 02, 2024
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.40.0 (2024-04-02)

What's new?

  • You can now enable IMDS default settings per region. To get started, set the AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > * policies.

Bug fixes

  • The AWS > EC2 > Instance > Approved control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the AWS > EC2 > Instance > Approved policy was set to Enforce: Stop unapproved if new. This is now fixed.

Control Types

  • AWS > EC2 > Account Attributes > Instance Metadata Service Defaults

Policy Types

  • AWS > EC2 > Account Attributes > Instance Metadata Service Defaults
  • AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > HTTP Token Hop Limit

Action Types

  • AWS > EC2 > Account Attributes > Update Instance Metadata Service Defaults

5.39.2 (2024-03-08)

Bug fixes

  • The deprecated ec2-reports:* permissions are now removed from the mod.
  • The AWS > EC2 > Snapshot > Active and AWS > EC2 > Snapshot > Approved controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it.
  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
  • In the previous version, although we fixed a bug to prevent upserting volumes and snapshots with incorrect AKAs, there was still a provision for instances to be upserted with incorrect AKAs. We have now addressed this issue as well, ensuring instances are upserted more correctly and consistently than before.

5.39.1 (2024-02-16)

Bug fixes

  • In a previous version (v5.31.4), we implemented a feature to Discover Instances while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.

  • In the previous version, while we improved on the way we discovered missing Snapshots and Volumes while processing their update events, we inadvertently introduced a bug where some resources were upserted with incorrect AKAs. Such resources with malformed AKAs should now be cleaned up automatically from the environment, and Guardrails will now Discover resources more correctly and consistently than before.

5.39.0 (2024-02-13)

What's new?

  • You can now also disable Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs policy.

  • AWS/EC2/Admin, AWS/EC2/Metadata and AWS/EC2/Operator now includes permissions for Verified Access Endpoints, Verified Access Groups and Verified Access Trust Providers.

Bug fixes

  • In a previous version (v5.31.4), we implemented a feature to Discover Snapshots and Volumes while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.

Control Types

  • AWS > EC2 > Account Attributes > Block Public Access for Snapshots

Policy Types

  • AWS > EC2 > Account Attributes > Block Public Access for Snapshots

Action Types

  • AWS > EC2 > Account Attributes > Update Block Public Access for Snapshots

5.38.1 (2024-02-05)

Bug fixes

  • The AWS > EC2 > Key Pair > Discovery control would sometimes go into an error state if a Key Pair alias included escape characters. This is now fixed.

Control Types

Renamed

  • AWS > EC2 > Volume > Configuration to AWS > EC2 > Volume > Performance Configuration

Policy Types

Renamed

  • AWS > EC2 > Volume > Configuration to AWS > EC2 > Volume > Performance Configuration
  • AWS > EC2 > Volume > Configuration > IOPS Capacity to AWS > EC2 > Volume > Performance Configuration > IOPS Capacity
  • AWS > EC2 > Volume > Configuration > Throughput to AWS > EC2 > Volume > Performance Configuration > Throughput
  • AWS > EC2 > Volume > Configuration > Type to AWS > EC2 > Volume > Performance Configuration > Type

Action Types

Renamed

  • AWS > EC2 > Volume > Update Configuration to AWS > EC2 > Volume > Update Performance Configuration

5.38.0 (2024-01-25)

Control Types

  • AWS > EC2 > Volume > Configuration

Policy Types

  • AWS > EC2 > Volume > Configuration
  • AWS > EC2 > Volume > Configuration > IOPS Capacity
  • AWS > EC2 > Volume > Configuration > Throughput
  • AWS > EC2 > Volume > Configuration > Type

Action Types

  • AWS > EC2 > Volume > Update Configuration

5.37.0 (2024-01-11)

What's new?

  • Added support for aws_network_interface_sg_attachment Terraform resource for AWS > EC2 > Network Interface.

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would sometimes trigger multiple times if EnclaveOptions was not set as part of the AWS > EC2 > Instance > CMDB > Attributes policy. This would result in unnecessary Lambda runs for the control. The EnclaveOptions attribute is now available in the CMDB data by default and the EnclaveOptions policy value in AWS > EC2 > Instance > CMDB > Attributes policy has now been deprecated, and will be removed in the next major version.

5.36.2 (2023-11-02)

Bug fixes

  • The AWS > EC2 > Account Attributes > CMDB control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.

5.36.1 (2023-10-17)

Bug fixes

  • The AWS > EC2 > Volume > Discovery control would go into an error state because of an unintended GraphQL query bug. This is fixed and the control will now work correctly as expected.

5.36.0 (2023-10-09)

What's new?

  • AWS/EC2/Admin now includes permissions for Block Public Access for AMIs.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Control Types

  • AWS > EC2 > Account Attributes > Block Public Access for AMIs

Policy Types

  • AWS > EC2 > Account Attributes > Block Public Access for AMIs

Action Types

  • AWS > EC2 > Account Attributes > Update Block Public Access for AMIs

5.35.0 (2023-09-15)

Bug fixes

  • After starting/stopping an instance successfully, the AWS > EC2 > Instance > Schedule control would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.

Policy Types

  • AWS > EC2 > Instance > Schedule Tag > Name

5.34.0 (2023-08-01)

What's new?

  • We'd sometimes fail to update/cleanup stopped/terminated instances via real-time events if the instances were handled via OS level commands. We've now added support for real-time event handling of EC2 Instance State-change Notification to process EC2:StopInstances and EC2:TerminateInstances events more reliably than before. Please note that this feature will only be enabled if the aws mod is on version 5.26.0 or higher.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

5.33.0 (2023-06-29)

What's new?

  • The AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed and AWS > EC2 > Load Balancer Listener > SSL Policy > Default policies now include TLS 1.3 policies in the list of AWS SSL policies that the AWS EC2 load balancer listener can use.

Bug fixes

  • The AWS > EC2 > Key Pair > Discovery control would sometimes go into an error state if a Key Pair alias included a backslash. This is now fixed.

5.32.0 (2023-06-01)

What's new?

  • Resource's metadata will now also include createdBy details in Guardrails CMDB.
  • We've added new Guardrails AKAs for AWS > EC2 resource types that match their individual unique identifiers. E.g. InstanceId will now also be a Guardrails AKA for AWS > EC2 > Instance, VolumeId for AWS > EC2 > Volume etc.. Querying such resources in Guardrails will now be easier than before.

5.31.8 (2023-05-12)

Bug fixes

  • In a busy environment, the AWS > EC2 > Instance > Approved control would sometimes evaluate Root Volume Encryption incorrectly and set it to Not approved even before gauging all parameters for root volume encryption. This is fixed and Root Volume Encryption will now be correctly evaluated before setting the final state of the control.

5.31.7 (2023-03-08)

Bug fixes

  • We've updated the EventBridge Rule for ElasticLoadBalancing to filter out elasticloadbalancing:DeregisterTargets and elasticloadbalancing:RegisterTargets real-time events to reduce unnecessary noise caused by the processing of such events in Guardrails.

5.31.6 (2022-12-13)

Bug fixes

  • The StateReason attribute in instance's CMDB data would sometimes fail to update correctly if an instance was started/stopped. This is now fixed.

5.31.5 (2022-11-15)

Bug fixes

  • Guardrails would sometimes fail to process the ec2:CreateVolume real-time event and not upsert the volume correctly in Guardrails. This is fixed and volumes will now be discovered and upserted in Guardrails more reliably and consistently than before.

5.31.4 (2022-11-08)

Bug fixes

  • Previously, for any missing instance, volume, snapshot or a key pair in Guardrails, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Guardrails CMDB to allow users to manage their resources more reliably and consistently than before.

5.31.3 (2022-09-30)

Bug fixes

  • The AWS > EC2 > Instance > Schedule control would sometimes fail to start/stop an instance as defined in AWS > EC2 > Instance > Schedule policy. This is fixed and the control will now start/stop instances more reliably and consistently than before.

5.31.2 (2022-07-18)

Bug fixes

  • We'd sometimes fail to capture start/stop real-time events for instances when multiple instances were started or stopped at the same time. This is fixed and the CMDB data for such instances will now be more consistent and reflect accurate status details.

5.31.1 (2022-07-13)

Bug fixes

  • The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.

5.31.0 (2022-07-12)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Guardrails alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Action Types

  • AWS > EC2 > AMI > Delete from AWS
  • AWS > EC2 > AMI > Set Tags
  • AWS > EC2 > AMI > Skip alarm for Active control
  • AWS > EC2 > AMI > Skip alarm for Active control [90 days]
  • AWS > EC2 > AMI > Skip alarm for Approved control
  • AWS > EC2 > AMI > Skip alarm for Approved control [90 days]
  • AWS > EC2 > AMI > Skip alarm for Tags control
  • AWS > EC2 > AMI > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Application Load Balancer > Delete from AWS
  • AWS > EC2 > Application Load Balancer > Set Tags
  • AWS > EC2 > Application Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Application Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Application Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Application Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Application Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Application Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Auto Scaling Group > Delete from AWS
  • AWS > EC2 > Auto Scaling Group > Set Tags
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Active control
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Active control [90 days]
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Approved control
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Tags control
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Classic Load Balancer > Delete from AWS
  • AWS > EC2 > Classic Load Balancer > Set Tags
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Classic Load Balancer Listener > Delete from AWS
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Active control
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Active control [90 days]
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Approved control
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Gateway Load Balancer > Delete from AWS
  • AWS > EC2 > Gateway Load Balancer > Set Tags
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Instance > Delete from AWS
  • AWS > EC2 > Instance > Disable Termination Protection
  • AWS > EC2 > Instance > Enable Termination Protection
  • AWS > EC2 > Instance > Set Tags
  • AWS > EC2 > Instance > Skip alarm for Active control
  • AWS > EC2 > Instance > Skip alarm for Active control [90 days]
  • AWS > EC2 > Instance > Skip alarm for Approved control
  • AWS > EC2 > Instance > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Instance > Skip alarm for Tags control
  • AWS > EC2 > Instance > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Instance > Start Instance
  • AWS > EC2 > Instance > Stop Instance
  • AWS > EC2 > Key Pair > Delete from AWS
  • AWS > EC2 > Key Pair > Set Tags
  • AWS > EC2 > Key Pair > Skip alarm for Active control
  • AWS > EC2 > Key Pair > Skip alarm for Active control [90 days]
  • AWS > EC2 > Key Pair > Skip alarm for Approved control
  • AWS > EC2 > Key Pair > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Key Pair > Skip alarm for Tags control
  • AWS > EC2 > Key Pair > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Launch Configuration > Delete from AWS
  • AWS > EC2 > Launch Configuration > Skip alarm for Active control
  • AWS > EC2 > Launch Configuration > Skip alarm for Active control [90 days]
  • AWS > EC2 > Launch Configuration > Skip alarm for Approved control
  • AWS > EC2 > Launch Configuration > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Launch Template > Delete from AWS
  • AWS > EC2 > Launch Template > Set Tags
  • AWS > EC2 > Launch Template > Skip alarm for Active control
  • AWS > EC2 > Launch Template > Skip alarm for Active control [90 days]
  • AWS > EC2 > Launch Template > Skip alarm for Approved control
  • AWS > EC2 > Launch Template > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Launch Template > Skip alarm for Tags control
  • AWS > EC2 > Launch Template > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Launch Template Version > Delete from AWS
  • AWS > EC2 > Launch Template Version > Skip alarm for Active control
  • AWS > EC2 > Launch Template Version > Skip alarm for Active control [90 days]
  • AWS > EC2 > Launch Template Version > Skip alarm for Approved control
  • AWS > EC2 > Launch Template Version > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Listener Rule > Delete from AWS
  • AWS > EC2 > Listener Rule > Skip alarm for Active control
  • AWS > EC2 > Listener Rule > Skip alarm for Active control [90 days]
  • AWS > EC2 > Listener Rule > Skip alarm for Approved control
  • AWS > EC2 > Listener Rule > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Load Balancer Listener > Delete from AWS
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Active control
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Active control [90 days]
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Approved control
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Network Interface > Delete from AWS
  • AWS > EC2 > Network Interface > Set Tags
  • AWS > EC2 > Network Interface > Skip alarm for Active control
  • AWS > EC2 > Network Interface > Skip alarm for Active control [90 days]
  • AWS > EC2 > Network Interface > Skip alarm for Approved control
  • AWS > EC2 > Network Interface > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Network Interface > Skip alarm for Tags control
  • AWS > EC2 > Network Interface > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Network Load Balancer > Delete from AWS
  • AWS > EC2 > Network Load Balancer > Set Tags
  • AWS > EC2 > Network Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Network Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Network Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Network Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Network Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Network Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Snapshot > Delete from AWS
  • AWS > EC2 > Snapshot > Set Tags
  • AWS > EC2 > Snapshot > Skip alarm for Active control
  • AWS > EC2 > Snapshot > Skip alarm for Active control [90 days]
  • AWS > EC2 > Snapshot > Skip alarm for Approved control
  • AWS > EC2 > Snapshot > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Snapshot > Skip alarm for Tags control
  • AWS > EC2 > Snapshot > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Target Group > Delete from AWS
  • AWS > EC2 > Target Group > Set Tags
  • AWS > EC2 > Target Group > Skip alarm for Active control
  • AWS > EC2 > Target Group > Skip alarm for Active control [90 days]
  • AWS > EC2 > Target Group > Skip alarm for Approved control
  • AWS > EC2 > Target Group > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Target Group > Skip alarm for Tags control
  • AWS > EC2 > Target Group > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Volume > Detach, snapshot and delete from AWS
  • AWS > EC2 > Volume > Set Tags
  • AWS > EC2 > Volume > Skip alarm for Active control
  • AWS > EC2 > Volume > Skip alarm for Active control [90 days]
  • AWS > EC2 > Volume > Skip alarm for Approved control
  • AWS > EC2 > Volume > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Volume > Skip alarm for Tags control
  • AWS > EC2 > Volume > Skip alarm for Tags control [90 days]

5.30.2 (2022-05-11)

Bug fixes

  • The AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed and AWS > EC2 > Load Balancer Listener > SSL Policy > Default policies now include ELBSecurityPolicy-FS-1-2-Res-2020-10 in the list of AWS SSL policies that the AWS EC2 load balancer listener can use.

5.30.1 (2022-04-12)

Bug fixes

  • AWS > EC2 > Snapshot > CMDB control will now re-run after a 5 minute interval if a snapshot is in a transitional state, e.g. pending or recovering. This will allow the snapshot's CMDB data to be more reliable than before.

5.30.0 (2022-03-04)

Policy Types

  • AWS > EC2 > Instance > Default Platform

5.29.1 (2022-03-02)

Bug fixes

  • The AWS > EC2 > Instance > Approved control would go into an error state if the AWS > EC2 > Instance > Approved > Image > * policies were set and the AMI was deleted/not available in AWS. This is now fixed.
  • The AWS > EC2 > Instance > Approved control would sometimes go into an error state if the AWS > EC2 > Instance > Approved > Image > Publishers policy included account IDs. This is now fixed.

5.29.0 (2022-02-04)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

Policy Types

  • AWS > EC2 > AMI > Approved > Custom
  • AWS > EC2 > Application Load Balancer > Approved > Custom
  • AWS > EC2 > Auto Scaling Group > Approved > Custom
  • AWS > EC2 > Classic Load Balancer > Approved > Custom
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
  • AWS > EC2 > Gateway Load Balancer > Approved > Custom
  • AWS > EC2 > Instance > Approved > Custom
  • AWS > EC2 > Key Pair > Approved > Custom
  • AWS > EC2 > Launch Configuration > Approved > Custom
  • AWS > EC2 > Launch Template > Approved > Custom
  • AWS > EC2 > Launch Template Version > Approved > Custom
  • AWS > EC2 > Listener Rule > Approved > Custom
  • AWS > EC2 > Load Balancer Listener > Approved > Custom
  • AWS > EC2 > Network Interface > Approved > Custom
  • AWS > EC2 > Network Load Balancer > Approved > Custom
  • AWS > EC2 > Snapshot > Approved > Custom
  • AWS > EC2 > Target Group > Approved > Custom
  • AWS > EC2 > Volume > Approved > Custom

5.28.4 (2022-02-01)

Bug fixes

  • The AWS > Guardrails > Permissions > Compiled > Lockdown Statements > @turbot/aws-ec2 policy would fail to compile the lockdown statements correctly if the AWS > EC2 > Instance > Approved > Image > Publishers policy included account IDs. This is now fixed.

5.28.3 (2022-01-28)

Bug fixes

  • The AWS > EC2 > Instance > Schedule control would incorrectly go into a skipped state if the AWS > EC2 > Instance > Schedule policy was set to Skip but the AWS > EC2 > Instance > Schedule Tag policy was set to Enforce: Schedule per turbot_custom_schedule tag. This is fixed and the control will now work as expected.

5.28.2 (2022-01-27)

Bug fixes

  • Guardrails would sometimes show unnecessary error notifications for volumes in the activity tab while processing EC2:RunInstances event. This is now fixed.

5.28.1 (2022-01-17)

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would delete an instance incorrectly if the AMI used for creating the instance was deleted or made private. This is now fixed.

5.28.0 (2022-01-10)

What's new?

  • The AWS > EC2 > Instance > Approved control would sometimes go into an Invalid state incorrectly because the root volume attached to the instance was not discovered consistently in Guardrails for newly created instances. We've now added support for real-time event handling of EBS Volume Notifications to process EC2:CreateVolume, EC2:ModifyVolume and EC2:DeleteVolume events more reliably than before. This would also enable the AWS > EC2 > Instance > Approved control to evaluate the outcome correctly and consistently. Please note that this feature will only be enabled if the aws mod is on version 5.21.0 or higher.

5.27.0 (2021-12-21)

What's new?

  • AWS/EC2/Admin AWS/EC2/Metadata and AWS/EC2/Operator now include permissions for Capacity Reservation Fleet, Instance Event Window, Managed Prefix List, Snapshots In Recycle Bin, Warm Pool and Public Ipv4 Pool.

Policy Types

  • AWS > EC2 > Permissions > Lockdown > Instance
  • AWS > EC2 > Permissions > Lockdown > Instance > Image
  • AWS > EC2 > Permissions > Lockdown > Instance > Image > AMI IDs
  • AWS > EC2 > Permissions > Lockdown > Instance > Image > Publishers

5.26.0 (2021-09-17)

What's new?

  • Auto Scaling Group's CMDB data will now include details of its scheduled actions.

Bug fixes

  • The security group details under NetworkInterfaces in the Instances' CMDB data will now be properly and consistently sorted.

5.25.0 (2021-07-22)

What's new?

  • AWS/EC2 permission levels now include autoscaling plans, autoscaling instance refresh and public Ipv4 Pool permissions.

5.24.0 (2021-07-08)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.23.0 (2021-06-23)

What's new?

  • AWS/EC2/Admin now includes capacity reservation, fleet permissions, and elastic inference permissions.

    AWS > Guardrails > Permissions > Compiled > API Boundary > @turbot/aws-ec2 policy now includes elastic-inference:* and tiros:*.

5.22.0 (2021-06-21)

Resource Types

  • AWS > EC2 > Account Attributes

Control Types

  • AWS > EC2 > Account Attributes > CMDB
  • AWS > EC2 > Account Attributes > Discovery
  • AWS > EC2 > Account Attributes > EBS Encryption by Default

Policy Types

  • AWS > EC2 > Account Attributes > CMDB
  • AWS > EC2 > Account Attributes > EBS Encryption by Default
  • AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
  • AWS > EC2 > Account Attributes > Regions

Action Types

  • AWS > EC2 > Account Attributes > Router
  • AWS > EC2 > Account Attributes > Update EBS Encryption by Default

5.21.6 (2021-05-18)

Bug fixes

  • We've improved our retry mechanism for throttling errors on API calls to be more efficient. You won’t notice any difference, but things should run better than before.

5.21.5 (2021-05-13)

Bug fixes

  • We've updated the AWS > EC2 > Permissions > Lockdown > Instance Types and AWS > EC2 > Permissions > Lockdown > Volume Types policies' default values to be [*]. This will allow these policies to run much lighter and faster than before.

    We recommend that users include instance types from all AWS > EC2 > Instance > Approved > Instance Types policy settings and volume types from all AWS > EC2 > Volume > Approved > Volume Types policy settings in their respective lockdown policies to ensure that these lockdown policies do not restrict any approved instance or volume types.

5.21.4 (2021-05-06)

Bug fixes

  • We made some improvements earlier to upsert snapshots automatically if they were created from instances, but that wouldn't work since we did not add the ec2:CreateSnapshots event in the EventBridge rule for EC2. This is now fixed and snapshots created from instances will now be upserted automatically via real-time event handling in Guardrails.

    We recommend that users run the AWS > EC2 > Snapshot > Discovery control to upsert all snapshots that Guardrails might have missed upserting earlier. This will help Guardrails manage all such snapshots correctly.

5.21.3 (2021-05-05)

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would sometimes go into an error state for terminated instances and would fail to delete such instances from Guardrails. This is now fixed.
  • Guardrails will now raise EC2:BidEvictedEvent events correctly to handle spot instance interruptions for spot instances.
  • Snapshots created from instances were not upserted automatically into Guardrails. This is now fixed.

5.21.2 (2021-04-23)

Bug fixes

  • We've improved the way we refresh the CMDB data for instances, snapshots and volumes for tagging events like EC2:CreateTags and EC2:DeleteTags. We understand that API calls are expensive and we'll now make fewer of them for such events, and the respective CMDB controls will run lighter than before.

5.21.1 (2021-04-13)

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.

5.21.0 (2021-04-02)

What's new?

  • We've improved our event handling configuration and now filter which AWS events Guardrails listens for based on resources' CMDB policies. If a resource's CMDB policy is not set to Enforce: Enabled, the EventBridge rules will be configured to not send any events for that resource. This will greatly reduce the number of unnecessary events that Guardrails listens for and handles today. Please note that this feature will only be enabled for workspaces on TE v5.36.0 or higher, and the following VPC mods aws-vpc-core, aws-vpc-internet, aws-vpc-connect or aws-vpc-security, for the ones installed, are on v5.10.0, 5.7.0, 5.5.0 and 5.5.0 or higher respectively, since these VPC mods also use EC2 events for their respective resources. We recommend upgrading the aws-ec2 mod to v5.21.0 first and then upgrade the installed VPC mods to the versions mentioned above for a smooth transition to using the events filtering capability.

Policy Types

  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2

Removed

  • AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-ec2

5.20.0 (2021-03-19)

Bug fixes

  • The AWS > EC2 > Snapshot > Approved control would sometimes go into an error state if the KMS key used to encrypt the snapshot was not available in Guardrails CMDB. This is fixed and the control will now work as expected.

Resource Types

  • AWS > EC2 > Gateway Load Balancer

Control Types

  • AWS > EC2 > Gateway Load Balancer > Active
  • AWS > EC2 > Gateway Load Balancer > Approved
  • AWS > EC2 > Gateway Load Balancer > CMDB
  • AWS > EC2 > Gateway Load Balancer > Discovery
  • AWS > EC2 > Gateway Load Balancer > Tags
  • AWS > EC2 > Gateway Load Balancer > Usage

Policy Types

  • AWS > EC2 > Gateway Load Balancer > Active
  • AWS > EC2 > Gateway Load Balancer > Active > Age
  • AWS > EC2 > Gateway Load Balancer > Active > Budget
  • AWS > EC2 > Gateway Load Balancer > Active > Last Modified
  • AWS > EC2 > Gateway Load Balancer > Approved
  • AWS > EC2 > Gateway Load Balancer > Approved > Budget
  • AWS > EC2 > Gateway Load Balancer > Approved > Regions
  • AWS > EC2 > Gateway Load Balancer > Approved > Usage
  • AWS > EC2 > Gateway Load Balancer > CMDB
  • AWS > EC2 > Gateway Load Balancer > Regions
  • AWS > EC2 > Gateway Load Balancer > Tags
  • AWS > EC2 > Gateway Load Balancer > Tags > Template
  • AWS > EC2 > Gateway Load Balancer > Usage
  • AWS > EC2 > Gateway Load Balancer > Usage > Limit

Action Types

  • AWS > EC2 > Gateway Load Balancer > Delete
  • AWS > EC2 > Gateway Load Balancer > Router
  • AWS > EC2 > Gateway Load Balancer > Update Tags

5.19.0 (2021-03-01)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

  • While gathering resource data in the AWS > EC2 > Instance > CMDB and AWS > EC2 > Volume > CMDB controls, sometimes we'd hit API throttling errors due to the CMDB controls calling multiple APIs each run in an effort to gather all related resource data. To provide an easy way to configure which APIs are called in each CMDB control, we've added the AWS > EC2 > Instance > CMDB > Attributes and AWS > EC2 > Volume > CMDB > Attributes policies.

    In each of these policies, you can select which attributes Guardrails will track in CMDB for the respective resource type. Any unselected attributes will not be tracked, which results in fewer API calls. Please note that if an attribute is changed from tracked to untracked, it will be removed from the resource's CMDB data to avoid us keeping stale information.

Policy Types

  • AWS > EC2 > Instance > CMDB > Attributes
  • AWS > EC2 > Volume > CMDB > Attributes

5.18.7 (2021-02-09)

Bug fixes

  • The AWS > EC2 > Network Interface > Active control will no longer go into error if the network interface is detached and the attachment check is enabled.
  • The AWS > EC2 > Volume > Active control will no longer go into error if the volume is detached and the attachment check is enabled.
  • The AWS > EC2 > Instance > CMDB control will no longer attempt to describe the instance's enclave options for instances in the us-gov-east-1 and us-gov-west-1 regions due to lack of GovCloud support.

5.18.6 (2021-02-05)

Bug fixes

  • We've updated the AWS > EC2 > Instance > Discovery control to sort the NetworkInterfaces and Tags properties in the same way the AWS > EC2 > Instance > CMDB control sorts them to ensure instances' CMDB data remains consistent.
  • The AWS > EC2 > Instance > Router action would sometimes throw an error when an instance with no attached volumes was deleted. This is now fixed.
  • After an instance is terminated, AWS either deletes or detaches any attached volumes based on the volumes' DeleteOnTermination setting. For these volumes, sometimes we'd fail to delete or update them respectively in CMDB after handling the instance termination event. Both of these cases are now fixed and volumes are deleted and updated as expected.

5.18.5 (2021-01-29)

Bug fixes

  • The root volume encryption check in AWS > EC2 > Instance > Approved control would incorrectly show Invalid if there was no root volume attached to the instance. This is fixed and it will now show up as Approved.

  • The AWS > EC2 > Target Group > CMDB control would sometimes go into an error state showing a Validation Error if a load balancer was deleted since we'd move the attached target group under an incorrect parent. This is now fixed.

  • The AWS > EC2 > Instance > Approved control will now wait a few minutes before going into the invalid state if the instance's root volume is not in CMDB yet (root volume information is required for the AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest check). This will help avoid unnecessary TBD->Invalid->OK state change sequences for new instances, as the instance may be created in CMDB before its root volume is due to event handling order.

5.18.4 (2021-01-18)

Bug fixes

  • The AWS > EC2 > Snapshot > Discovery control now moves into alarm if there are more than 100k snapshots in a region (we still limit the control to upserting only 100k in a single run).

5.18.3 (2021-01-14)

Bug fixes

  • The AWS > EC2 > Snapshot > Discovery control's lambda function's timeout has been increased from 5 minutes to 15 minutes to better handle upserting a large number of snapshots. This control will also now limit resource data to required fields and only upsert up to 100,000 snapshots in a single run in order to avoid payload size errors. If you have a use case that exceeds this limit, please contact support.

5.18.2 (2020-12-29)

Bug fixes

  • The AWS > EC2 > Snapshot > Discovery control's lambda function's memory has been increased from 512 MB to 2048 MB to better handle upserting a large number of snapshots.
  • We've improved the AWS > EC2 > Volume > Discovery control to run faster and lighter when discovering volumes for newly created instances. You won't notice any difference, but the control is better than it was before.

5.18.1 (2020-12-24)

Bug fixes

  • Sometimes when multiple instances were terminated in an ec2:TerminateInstances event, not all of the instances' attached volumes would be cleaned up properly in CMDB. This has been fixed.

    We also fixed a bug that would sometimes cause only the first instance in an ec2:RunInstances event to be created in CMDB.

5.18.0 (2020-12-21)

What's new?

  • The AWS > EC2 > Instance > Approved control can now check if an instance is approved or not based on the AMI which was used to launch it. To enable this approved check, please set the AWS > EC2 > Instance > Approved > Image policy.

Bug fixes

  • The AWS > EC2 > Instance > Detailed Monitoring control would incorrectly go to an Invalid state if the AWS > EC2 > Instance > Detailed Monitoring policy was set to Skip. This has now been fixed and the AWS > EC2 > Instance > Detailed Monitoring control will now correctly be in skipped state if its policy value is set to Skip.

Policy Types

  • AWS > EC2 > Instance > Approved > Image
  • AWS > EC2 > Instance > Approved > Image > AMI IDs
  • AWS > EC2 > Instance > Approved > Image > Publishers

5.17.5 (2020-12-14)

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would sometimes go into an error state if no network interfaces were attached to the instance. This is now fixed.

5.17.4 (2020-12-07)

Bug fixes

  • We've optimized the GraphQL queries for various controls when they're in the tbd and skipped states. You won't notice any difference but they should run a lot lighter now.

  • We've updated various resources' Discovery and CMDB controls to ensure array properties are consistently sorted in the CMDB.

  • We've removed the AWS > EC2 > Instance > Active > Attached policy which was added incorrectly. There will be no impact on the AWS > EC2 > Instance > Active control which would work smoothly as before.

Policy Types

Removed

  • AWS > EC2 > Instance > Active > Attached

5.17.3 (2020-11-16)

Bug fixes

  • We've fixed an issue that resulted in the AWS > EC2 > Instance > Discovery control never upserting any instances, even if there were some present in the region.

5.17.2 (2020-11-16)

Bug fixes

  • Whenever classic load balancers were created, we failed to upsert them automatically in our CMDB. This issue has now been fixed.

5.17.1 (2020-11-06)

Bug fixes

  • Our real-time event handling for tag updates of EC2 resources will now be smoother, and the tags will be sorted consistently across the EC2 Discovery and CMDB controls.

5.17.0 (2020-11-03)

Bug fixes

  • We have made some improvements to our real-time event handling for EC2 resource tag updates. You won't notice a difference, but updates should run faster and smoother.

Resource Types

  • AWS > EC2 > Classic Load Balancer Listener

Control Types

  • AWS > EC2 > Classic Load Balancer Listener > Active
  • AWS > EC2 > Classic Load Balancer Listener > Approved
  • AWS > EC2 > Classic Load Balancer Listener > CMDB
  • AWS > EC2 > Classic Load Balancer Listener > Discovery
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy
  • AWS > EC2 > Classic Load Balancer Listener > Usage

Policy Types

  • AWS > EC2 > Classic Load Balancer Listener > Active
  • AWS > EC2 > Classic Load Balancer Listener > Active > Age
  • AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
  • AWS > EC2 > Classic Load Balancer Listener > Approved
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
  • AWS > EC2 > Classic Load Balancer Listener > CMDB
  • AWS > EC2 > Classic Load Balancer Listener > Regions
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
  • AWS > EC2 > Classic Load Balancer Listener > Usage
  • AWS > EC2 > Classic Load Balancer Listener > Usage > Limit
  • AWS > EC2 > Load Balancer Listener > Approved > Ports
  • AWS > EC2 > Load Balancer Listener > Approved > Protocols

Action Types

  • AWS > EC2 > Classic Load Balancer Listener > Delete
  • AWS > EC2 > Classic Load Balancer Listener > Router
  • AWS > EC2 > Classic Load Balancer Listener > Update SSL Policy

5.16.2 (2020-10-28)

Bug fixes

  • The AWS > EC2 > Instance > Discovery control will no longer upsert instances that are in the shutting-down or terminated states, as these instances are not useful to track in CMDB.
  • Whenever network load balancers were created we did not upsert them automatically into our CMDB. This issue has now been fixed.
  • The AWS > EC2 > Instance > CMDB control will now re-trigger after 1 minute instead of 5 if the instance is in the pending, shutting-down or stopping state. This will enable all the dependent controls and policies to be updated much faster.

5.16.1 (2020-10-19)

Bug fixes

  • After an instance was deleted, we'd fail to delete its root volume from CMDB sometimes and create noisy error notifications. This has been fixed and root volumes are cleaned up properly now.
  • The AWS > EC2 > Instance > CMDB control was continuously running every 5 minutes if the instance was in a running state. This is now fixed and the AWS > EC2 > Instance > CMDB control will only run when required.

5.16.0 (2020-10-13)

Bug fixes

  • We've fixed an invalid GraphQL input for the AWS > EC2 > Target Group > Discovery control which caused it to remain in an error state.
  • We failed to upsert AMIs into CMDB when they were created by copying existing AMIs from different regions. This issue has now been fixed.

Control Types

  • AWS > EC2 > Load Balancer Listener > SSL Policy

Policy Types

  • AWS > EC2 > Load Balancer Listener > SSL Policy
  • AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
  • AWS > EC2 > Load Balancer Listener > SSL Policy > Default

Action Types

  • AWS > EC2 > Load Balancer Listener > Update SSL Policy

5.15.0 (2020-10-06)

What's new?

  • The AWS > EC2 > Volume > Active control can now check if a volume is attached to any resource or not. To enable this active check, please set the AWS > EC2 > Volume > Active > Attached policy.

Policy Types

  • AWS > EC2 > Volume > Active > Attached

5.14.1 (2020-09-29)

Bug fixes

  • We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.14.0 (2020-09-03)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

Bug fixes

  • The AWS > ECS > Auto-Scaling Group > Router action was incorrectly attempting to handle ec2:CreateTags events, which would result in multiple error notifications from the action. This has been fixed.

5.13.0 (2020-08-18)

Control Types

  • AWS > EC2 > Instance > Detailed Monitoring
  • AWS > EC2 > Instance > Termination Protection

Policy Types

  • AWS > EC2 > Instance > Detailed Monitoring
  • AWS > EC2 > Instance > Termination Protection

Action Types

  • AWS > EC2 > Instance > Update Detailed Monitoring
  • AWS > EC2 > Instance > Update Termination Protection

5.12.2 (2020-08-18)

Bug fixes

  • After an EC2 instance was terminated, if its attached network interfaces were also deleted at the same time, these deleted network interfaces were not correctly removed from CMDB. This issue has now been fixed.

5.12.1 (2020-08-14)

Bug fixes

  • Minor improvements were made to the AWS > EC2 > Instance > Schedule control to make sure that you can start or stop your instances effectively without any errors

  • Root volumes can no longer be deleted by AWS > EC2 > Volume > Approved or AWS > EC2 > Volume > Active control when they are attached to instances which are in stopped state. This will make sure that the instances on rebooting do not go into an error state due to the unavailability of attached root volumes.

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

Policy Types

Renamed

  • AWS > EC2 > Instance > Schedule > Tag to AWS > EC2 > Instance > Schedule Tag

5.12.0 (2020-07-29)

What's new?

  • AWS/EC2/Admin now includes reserved instances, product instances and FPGA image management permissions.

  • Cross-account trust is important for complex enterprise and application scenarios, but is also a critical area for security controls. We now support controlling cross-account access for AMIs and snapshots to provide automatic protection against unexpected cross-account access.

    A common set of trusted AWS account IDs can be defined in the AWS > Account > Trusted Accounts [Default] policy. Trusted accounts can also be defined at any level, even down to the specific AMI or snapshot resource.

    To get started with these new controls, please see the AWS > EC2 > AMI > Trusted Access and AWS > EC2 > Snapshot> Trusted Access policies.

Control Types

  • AWS > EC2 > AMI > Trusted Access
  • AWS > EC2 > Snapshot > Trusted Access

Policy Types

  • AWS > EC2 > AMI > Trusted Access
  • AWS > EC2 > AMI > Trusted Access > Accounts
  • AWS > EC2 > Snapshot > Trusted Access
  • AWS > EC2 > Snapshot > Trusted Access > Accounts
  • AWS > EC2 > Trusted Accounts [Default]

Action Types

  • AWS > EC2 > AMI > Set Trusted Access
  • AWS > EC2 > Snapshot > Set Trusted Access

5.11.0 (2020-07-16)

What's new?

  • Target group attachment resources can now be created by the AWS > Account > Stack or AWS > Region > Stack controls. For more information on creating these resource types through Terraform, please see the Terraform resource page.

5.10.2 (2020-07-01)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Guardrails is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.
  • When determining the creation time of an instance, we were incorrectly using its LaunchTime property, which would update whenever an instance was stopped and then started again. Instead we now use the attachment time of its primary network interface, as the primary network interface cannot be detached, so the creation time will be more accurate and remain consistent throughout an instance's lifecycle.

5.10.1 (2020-06-26)

Bug fixes

  • Real-time events for key pairs were not being handled properly, resulting in outdated key pair CMDB information. This issue has been fixed.
  • In aws-ec2 (5.9.0), we added an ARN using the key pair ID as another AKA to the key pair resource type. This change would sometimes cause the AWS > EC2 > Key Pair > Discovery control to error out when attempting to update existing key pairs with the new AKA. This issue has been fixed.

5.10.0 (2020-06-26)

What's new?

  • The AWS > EC2 > Instance > Approved control can now stop unapproved instances (previously only deleting them was available). This feature can be used to either stop all unapproved instances or just those that have been newly created by setting the AWS > EC2 > Instance > Approved policy to Enforce: Stop unapproved or Enforce: Stop unapproved if new respectively.

5.9.0 (2020-06-19)

What's new?

  • We've added another AKA to key pairs, which is an ARN with the key pair ID as the unique identifier, e.g., arn:aws:ec2:us-east-1:123456789012:key-pair/key-012345abc. Previously, we only supported an ARN that used the key pair name, but now we store both formats.

Control Types

  • AWS > EC2 > Key Pair > Tags

Policy Types

  • AWS > EC2 > Key Pair > Tags
  • AWS > EC2 > Key Pair > Tags > Template

Action Types

  • AWS > EC2 > Key Pair > Update Tags

5.8.0 (2020-06-19)

What's new?

  • Access logging can now be configured for all load balancer types through their respective Access Logging controls. Access logs capture detailed information about requests sent to the load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

  • All the certificates added to the certificate list of a load balancer listener will now be available in the Certificates property.

  • Information pertaining to the health of a target group is now available in the TargetHealthDescriptions property.

  • CMDB of a target group will be updated automatically whenever targets like instance IDs, IP addresses, or Lambda functions are registered or deregistered.

Bug fixes

  • Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.

Control Types

  • AWS > EC2 > Application Load Balancer > Access Logging
  • AWS > EC2 > Classic Load Balancer > Access Logging
  • AWS > EC2 > Network Load Balancer > Access Logging

Policy Types

  • AWS > EC2 > Application Load Balancer > Access Logging
  • AWS > EC2 > Application Load Balancer > Access Logging > Bucket
  • AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
  • AWS > EC2 > Classic Load Balancer > Access Logging
  • AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
  • AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
  • AWS > EC2 > Network Load Balancer > Access Logging
  • AWS > EC2 > Network Load Balancer > Access Logging > Bucket
  • AWS > EC2 > Network Load Balancer > Access Logging > Key Prefix

Action Types

  • AWS > EC2 > Application Load Balancer > Update Access Logging
  • AWS > EC2 > Classic Load Balancer > Update Access Logging
  • AWS > EC2 > Network Load Balancer > Update Access Logging

5.7.0 (2020-06-16)

Control Types

  • AWS > EC2 > Application Load Balancer > Configured
  • AWS > EC2 > Classic Load Balancer > Configured
  • AWS > EC2 > Network Load Balancer > Configured
  • AWS > EC2 > Target Group > Configured

Policy Types

  • AWS > EC2 > Application Load Balancer > Configured
  • AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
  • AWS > EC2 > Application Load Balancer > Configured > Source
  • AWS > EC2 > Classic Load Balancer > Configured
  • AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
  • AWS > EC2 > Classic Load Balancer > Configured > Source
  • AWS > EC2 > Network Load Balancer > Configured
  • AWS > EC2 > Network Load Balancer > Configured > Claim Precedence
  • AWS > EC2 > Network Load Balancer > Configured > Source
  • AWS > EC2 > Target Group > Configured
  • AWS > EC2 > Target Group > Configured > Claim Precedence
  • AWS > EC2 > Target Group > Configured > Source

5.6.0 (2020-06-16)

Control Types

  • AWS > EC2 > Instance > Metadata Service

Policy Types

  • AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
  • AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > Customer Managed Key
  • AWS > EC2 > Instance > Metadata Service
  • AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit

Action Types

  • AWS > EC2 > Instance > Update Metadata Service

5.5.2 (2020-06-09)

Bug fixes

  • After terminating an instance, if its root volume was also deleted due to the instance's DeleteOnTermination property being set to true, Guardrails would not correctly delete the root volume from CMDB. This issue has been fixed.
  • After launching a new instance, its root volume would not automatically be created in the CMDB. This has been fixed.

5.5.1 (2020-05-26)

Bug fixes

  • After stopping or starting an instance, the CMDB was not updated automatically to reflect the new state. This has been fixed.
  • When load balancers were created on an AWS console, Guardrails upserted invalid load balancers with malformed aka into the CMDB. This issue has been fixed and now the desired load balancers are upserted smoothly with correct akas.
  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.5.0 (2020-05-07)

Resource Types

  • AWS > EC2 > Listener Rule
  • AWS > EC2 > Load Balancer Listener

Control Types

  • AWS > EC2 > AMI > Configured
  • AWS > EC2 > Instance > Configured
  • AWS > EC2 > Listener Rule > Active
  • AWS > EC2 > Listener Rule > Approved
  • AWS > EC2 > Listener Rule > CMDB
  • AWS > EC2 > Listener Rule > Configured
  • AWS > EC2 > Listener Rule > Discovery
  • AWS > EC2 > Listener Rule > Usage
  • AWS > EC2 > Load Balancer Listener > Active
  • AWS > EC2 > Load Balancer Listener > Approved
  • AWS > EC2 > Load Balancer Listener > CMDB
  • AWS > EC2 > Load Balancer Listener > Configured
  • AWS > EC2 > Load Balancer Listener > Discovery
  • AWS > EC2 > Load Balancer Listener > Usage
  • AWS > EC2 > Network Interface > Configured
  • AWS > EC2 > Snapshot > Configured
  • AWS > EC2 > Volume > Configured

Policy Types

  • AWS > EC2 > AMI > Configured
  • AWS > EC2 > AMI > Configured > Claim Precedence
  • AWS > EC2 > AMI > Configured > Source
  • AWS > EC2 > Instance > Configured
  • AWS > EC2 > Instance > Configured > Claim Precedence
  • AWS > EC2 > Instance > Configured > Source
  • AWS > EC2 > Listener Rule > Active
  • AWS > EC2 > Listener Rule > Active > Age
  • AWS > EC2 > Listener Rule > Active > Budget
  • AWS > EC2 > Listener Rule > Active > Last Modified
  • AWS > EC2 > Listener Rule > Approved
  • AWS > EC2 > Listener Rule > Approved > Budget
  • AWS > EC2 > Listener Rule > Approved > Regions
  • AWS > EC2 > Listener Rule > Approved > Usage
  • AWS > EC2 > Listener Rule > CMDB
  • AWS > EC2 > Listener Rule > Configured
  • AWS > EC2 > Listener Rule > Configured > Claim Precedence
  • AWS > EC2 > Listener Rule > Configured > Source
  • AWS > EC2 > Listener Rule > Regions
  • AWS > EC2 > Listener Rule > Usage
  • AWS > EC2 > Listener Rule > Usage > Limit
  • AWS > EC2 > Load Balancer Listener > Active
  • AWS > EC2 > Load Balancer Listener > Active > Age
  • AWS > EC2 > Load Balancer Listener > Active > Last Modified
  • AWS > EC2 > Load Balancer Listener > Approved
  • AWS > EC2 > Load Balancer Listener > Approved > Regions
  • AWS > EC2 > Load Balancer Listener > Approved > Usage
  • AWS > EC2 > Load Balancer Listener > CMDB
  • AWS > EC2 > Load Balancer Listener > Configured
  • AWS > EC2 > Load Balancer Listener > Configured > Claim Precedence
  • AWS > EC2 > Load Balancer Listener > Configured > Source
  • AWS > EC2 > Load Balancer Listener > Regions
  • AWS > EC2 > Load Balancer Listener > Usage
  • AWS > EC2 > Load Balancer Listener > Usage > Limit
  • AWS > EC2 > Network Interface > Configured
  • AWS > EC2 > Network Interface > Configured > Claim Precedence
  • AWS > EC2 > Network Interface > Configured > Source
  • AWS > EC2 > Snapshot > Configured
  • AWS > EC2 > Snapshot > Configured > Claim Precedence
  • AWS > EC2 > Snapshot > Configured > Source
  • AWS > EC2 > Volume > Configured
  • AWS > EC2 > Volume > Configured > Claim Precedence
  • AWS > EC2 > Volume > Configured > Source

Action Types

  • AWS > EC2 > Listener Rule > Delete
  • AWS > EC2 > Listener Rule > Router
  • AWS > EC2 > Load Balancer Listener > Delete
  • AWS > EC2 > Load Balancer Listener > Router