@turbot/aws-ec2
The aws-ec2 mod contains resource, control and policy definitions for AWS EC2 service.
Resource Types
Resource types covered by this mod:
- AWS > EC2
- AWS > EC2 > AMI
- AWS > EC2 > Application Load Balancer
- AWS > EC2 > Auto Scaling Group
- AWS > EC2 > Classic Load Balancer
- AWS > EC2 > Classic Load Balancer Listener
- AWS > EC2 > Account Attributes
- AWS > EC2 > Gateway Load Balancer
- AWS > EC2 > Instance
- AWS > EC2 > Key Pair
- AWS > EC2 > Launch Configuration
- AWS > EC2 > Launch Template
- AWS > EC2 > Launch Template Version
- AWS > EC2 > Listener Rule
- AWS > EC2 > Load Balancer Listener
- AWS > EC2 > Network Interface
- AWS > EC2 > Network Load Balancer
- AWS > EC2 > Snapshot
- AWS > EC2 > Target Group
- AWS > EC2 > Volume
Permissions
Taking a look at permissions and associated grant levels for each permission for EC2:
Permission | Grant Level | Help |
---|---|---|
acm:ListCertificates | Metadata | Required for ELB launches. |
application-autoscaling:DeleteScalingPolicy | Admin | Admins can change the autoscaling process. |
application-autoscaling:DeleteScheduledAction | Admin | |
application-autoscaling:DeregisterScalableTarget | Operator | |
application-autoscaling:DescribeScalableTargets | Metadata | |
application-autoscaling:DescribeScalingActivities | Metadata | |
application-autoscaling:DescribeScalingPolicies | Metadata | |
application-autoscaling:DescribeScheduledActions | Metadata | |
application-autoscaling:PutScalingPolicy | Admin | Admins can change the autoscaling process. |
application-autoscaling:PutScheduledAction | Admin | |
application-autoscaling:RegisterScalableTarget | Operator | |
autoscaling-plans:CreateScalingPlan | Admin | |
autoscaling-plans:DeleteScalingPlan | Admin | |
autoscaling-plans:DescribeScalingPlanResources | Metadata | |
autoscaling-plans:DescribeScalingPlans | Metadata | |
autoscaling-plans:GetScalingPlanResourceForecastData | Metadata | |
autoscaling-plans:UpdateScalingPlan | Operator | |
autoscaling:AttachInstances | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:AttachLoadBalancerTargetGroups | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:AttachLoadBalancers | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:BatchDeleteScheduledAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:BatchPutScheduledUpdateGroupAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:CancelInstanceRefresh | Whitelist | |
autoscaling:CompleteLifecycleAction | Operator | Allows custom steps in the autoscaling lifecycle process |
autoscaling:CreateAutoScalingGroup | Whitelist | |
autoscaling:CreateLaunchConfiguration | Whitelist | |
autoscaling:CreateOrUpdateScalingTrigger | Whitelist | |
autoscaling:CreateOrUpdateTags | Operator | |
autoscaling:CreateScalingPlan | Whitelist | Admins can create autoscaling plan. |
autoscaling:DeleteAutoScalingGroup | Whitelist | |
autoscaling:DeleteLaunchConfiguration | Whitelist | |
autoscaling:DeleteLifecycleHook | Whitelist | Admins can change the autoscaling process. |
autoscaling:DeleteNotificationConfiguration | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:DeletePolicy | Whitelist | Admins can change the autoscaling process. |
autoscaling:DeleteScalingPlan | Whitelist | Admins can delete autoscaling plan. |
autoscaling:DeleteScheduledAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:DeleteTags | Operator | |
autoscaling:DeleteTrigger | Whitelist | |
autoscaling:DeleteWarmPool | Admin | |
autoscaling:DescribeAccountLimits | Metadata | |
autoscaling:DescribeAdjustmentTypes | Metadata | |
autoscaling:DescribeAutoScalingGroups | Metadata | |
autoscaling:DescribeAutoScalingInstances | Metadata | |
autoscaling:DescribeAutoScalingNotificationTypes | Metadata | |
autoscaling:DescribeInstanceRefreshes | Metadata | |
autoscaling:DescribeLaunchConfigurations | Metadata | |
autoscaling:DescribeLifecycleHookTypes | Metadata | |
autoscaling:DescribeLifecycleHooks | Metadata | |
autoscaling:DescribeLoadBalancerTargetGroups | Metadata | |
autoscaling:DescribeLoadBalancers | Metadata | |
autoscaling:DescribeMetricCollectionTypes | Metadata | |
autoscaling:DescribeNotificationConfigurations | Metadata | |
autoscaling:DescribePolicies | Metadata | |
autoscaling:DescribeScalingActivities | Metadata | |
autoscaling:DescribeScalingPlanResources | Metadata | Describes the scalable resources in the specified scaling plan. |
autoscaling:DescribeScalingPlans | Metadata | Describes the specified scaling plans or all of your scaling plans. |
autoscaling:DescribeScalingProcessTypes | Metadata | |
autoscaling:DescribeScheduledActions | Metadata | |
autoscaling:DescribeTags | Metadata | |
autoscaling:DescribeTerminationPolicyTypes | Metadata | |
autoscaling:DescribeTriggers | Metadata | |
autoscaling:DescribeWarmPool | Metadata | |
autoscaling:DetachInstances | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:DetachLoadBalancerTargetGroups | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:DetachLoadBalancers | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:DisableMetricsCollection | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:EnableMetricsCollection | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:EnterStandby | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:ExecutePolicy | Operator | Operators can execute a policy that was defined by an Admin. |
autoscaling:ExitStandby | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:PutLifecycleHook | Whitelist | Admins can change the autoscaling process. |
autoscaling:PutNotificationConfiguration | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:PutScalingPolicy | Whitelist | Admins can change the autoscaling process. |
autoscaling:PutScheduledUpdateGroupAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:PutWarmPool | Admin | |
autoscaling:RecordLifecycleActionHeartbeat | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:ResumeProcesses | Operator | |
autoscaling:SetDesiredCapacity | Whitelist | |
autoscaling:SetInstanceHealth | Operator | |
autoscaling:SetInstanceProtection | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:StartInstanceRefresh | Whitelist | |
autoscaling:SuspendProcesses | Operator | |
autoscaling:TerminateInstanceInAutoScalingGroup | Operator | |
autoscaling:UpdateAutoScalingGroup | Whitelist | |
aws-marketplace:BatchMeterUsage | Admin | Administrators may report software usage. |
aws-marketplace:GetEntitlements | Metadata | Viewing entitlement of a customer to a given product. http://docs.aws.amazon.com/marketplaceentitlement/latest/APIReference/Welcome.html. |
aws-marketplace:MeterUsage | Admin | Administrators may report software usage. |
aws-marketplace:ResolveCustomer | Admin | Used by SaaS application and returns customer identifier and product code based on registration token. |
aws-marketplace:Subscribe | Whitelist | Administrators may subscribe to marketplace software |
aws-marketplace:Unsubscribe | Whitelist | Administrators may subscribe to marketplace software |
aws-marketplace:ViewSubscriptions | Metadata | Viewing marketplace subscriptions is required for server management if the marketplace is used. |
cloudwatch:DescribeAlarmHistory | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:DescribeAlarms | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:DescribeAlarmsForMetric | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:GetMetricData | Metadata | This allows GetMetricData API to retrieve as many as metrics data and to perform mathematical expressions on this data. |
cloudwatch:GetMetricStatistics | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:ListMetrics | Metadata | For console access per EC2 ReadOnly policy |
ec2-reports:ViewInstanceUsageReport | Metadata | Obscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports |
ec2-reports:ViewReservedInstanceUtilizationReport | Metadata | Obscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports |
ec2:AcceptReservedInstancesExchangeQuote | Admin | Accounts can manage their own reserved instances (but cannot resell them). |
ec2:AllocateAddress | Admin | Admins can allocate new elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
ec2:AllocateHosts | Admin | |
ec2:AssignIpv6Addresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:AssignPrivateIpAddresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:AssociateAddress | Admin | Admins can associate elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
ec2:AssociateEnclaveCertificateIamRole | Admin | |
ec2:AssociateIamInstanceProfile | Admin | Admins manage IAM instance profile associations for existing instances. |
ec2:AssociateInstanceEventWindow | Admin | |
ec2:AssociateTrunkInterface | Admin | |
ec2:AttachNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:AttachVolume | Admin | |
ec2:BidEvictedEvent | Admin | Admins can update or terminate spot instances. |
ec2:BundleInstance | Whitelist | Optional VM export |
ec2:CancelBundleTask | Whitelist | Optional VM export |
ec2:CancelCapacityReservation | Admin | |
ec2:CancelCapacityReservationFleets | Admin | |
ec2:CancelConversionTask | Whitelist | Optional VM export |
ec2:CancelExportTask | Whitelist | Optional VM export |
ec2:CancelImportTask | Whitelist | Optional VM import |
ec2:CancelReservedInstancesListing | Admin | Reserved instance reselling is at the cluster level. |
ec2:CancelSpotFleetRequests | Admin | |
ec2:CancelSpotInstanceRequests | Admin | Accounts can safely use spot instances within their VPC. |
ec2:ConfirmProductInstance | Admin | Only relevant to AMI marketplace sellers. |
ec2:CopyFpgaImage | Admin | Copies the specified Amazon FPGA Image (AFI) to the current region. |
ec2:CopyImage | Whitelist | Optional image management. Copies image between regions not across accounts |
ec2:CopySnapshot | Operator | Low risk operation to copy data within the same account. |
ec2:CreateCapacityReservation | Admin | |
ec2:CreateCapacityReservationFleet | Admin | |
ec2:CreateFleet | Admin | |
ec2:CreateFpgaImage | Whitelist | Optional FPGA image management. https://aws.amazon.com/ec2/instance-types/f1/ |
ec2:CreateImage | Whitelist | Optional image management. Creates a new AMI from an instance in the account. |
ec2:CreateInstanceExportTask | Whitelist | Optional VM export. |
ec2:CreateInstanceEventWindow | Admin | |
ec2:CreateKeyPair | Admin | Administrators use key pairs when starting new instances. This should be moved to an option in the future when Turbot supports non-key pair based login. |
ec2:CreateLaunchTemplate | Admin | |
ec2:CreateLaunchTemplateVersion | Admin | |
ec2:CreateManagedPrefixList | Admin | |
ec2:CreateNetworkInterfacePermission | Admin | |
ec2:CreateNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:CreatePlacementGroup | Admin | Servers can be safely placed within cluster managed networks. |
ec2:CreateReplaceRootVolumeTask | Admin | |
ec2:CreateReservedInstancesListing | Admin | Reserved instance reselling is at the cluster level. |
ec2:CreateRestoreImageTask | Admin | |
ec2:CreateSnapshot | Operator | Low risk operation to backup data within the same account. |
ec2:CreateSnapshots | Operator | Low risk operation to backup data within the same account. |
ec2:CreateSpotDatafeedSubscription | Admin | Accounts can safely use spot instances within their VPC. |
ec2:CreateStoreImageTask | Admin | |
ec2:CreateTags | Operator | Tags are low risk for management in Turbot since accounts are the isolation boundary; not tags. |
ec2:CreateVolume | Admin | Storage management is safe within the account. |
ec2:DeleteFleets | Admin | |
ec2:DeleteFpgaImage | Admin | Deletes the specified Amazon FPGA Image. |
ec2:DeleteInstanceEventWindow | Admin | |
ec2:DeleteKeyPair | Admin | |
ec2:DeleteLaunchTemplate | Admin | |
ec2:DeleteLaunchTemplateVersions | Admin | |
ec2:DeleteManagedPrefixList | Admin | |
ec2:DeleteNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:DeleteNetworkInterfacePermission | Admin | |
ec2:DeletePlacementGroup | Admin | |
ec2:DeleteSnapshot | Admin | Deletion of snapshots is limited to Admin though creation is open to Operator. |
ec2:DeleteSpotDatafeedSubscription | Admin | |
ec2:DeleteTags | Operator | Tags are low risk for management in Turbot since accounts are the isolation boundary; not tags. Most deletions are denied to operator but tags are a low risk management activity even for deletion. |
ec2:DeleteQueuedReservedInstances | Admin | |
ec2:DeleteVolume | Admin | |
ec2:DeregisterImage | Whitelist | Optional image management. Deregisters an image preventing further launches |
ec2:DeregisterInstanceEventNotificationAttributes | Admin | |
ec2:DescribeAccountAttributes | Metadata | |
ec2:DescribeAddresses | Metadata | |
ec2:DescribeAddressesAttribute | Metadata | |
ec2:DescribeAvailabilityZones | Metadata | |
ec2:DescribeBundleTasks | Metadata | |
ec2:DescribeCapacityReservations | Metadata | |
ec2:DescribeCapacityReservationFleets | Metadata | |
ec2:DescribeCarrierGateways | Metadata | |
ec2:DescribeClassicLinkInstances | Metadata | |
ec2:DescribeConversionTasks | Metadata | |
ec2:DescribeElasticGpus | Metadata | |
ec2:DescribeExportImageTasks | Metadata | |
ec2:DescribeExportTasks | Metadata | |
ec2:DescribeFastSnapshotRestores | Metadata | |
ec2:DescribeFleetHistory | Metadata | |
ec2:DescribeFleetInstances | Metadata | |
ec2:DescribeFleets | Metadata | |
ec2:DescribeFpgaImageAttribute | Metadata | Describes the specified attribute of the specified Amazon FPGA Image. |
ec2:DescribeFpgaImages | Metadata | |
ec2:DescribeHostReservationOfferings | Metadata | |
ec2:DescribeHostReservations | Metadata | |
ec2:DescribeHosts | Metadata | |
ec2:DescribeIamInstanceProfileAssociations | Metadata | |
ec2:DescribeIdFormat | Metadata | |
ec2:DescribeIdentityIdFormat | Metadata | |
ec2:DescribeImageAttribute | Metadata | |
ec2:DescribeImages | Metadata | |
ec2:DescribeImportImageTasks | Metadata | |
ec2:DescribeImportSnapshotTasks | Metadata | |
ec2:DescribeInstanceAttribute | Metadata | |
ec2:DescribeInstanceCreditSpecifications | Metadata | |
ec2:DescribeInstanceEventNotificationAttributes | Metadata | |
ec2:DescribeInstanceEventWindows | Metadata | |
ec2:DescribeInstanceStatus | Metadata | |
ec2:DescribeInstances | Metadata | |
ec2:DescribeInstanceTypeOfferings | Metadata | |
ec2:DescribeInstanceTypes | Metadata | |
ec2:DescribeKeyPairs | Metadata | |
ec2:DescribeLaunchTemplateVersions | Metadata | |
ec2:DescribeLaunchTemplates | Metadata | |
ec2:DescribeLicenses | Metadata | Note: Not currently in use by AWS - http://aws.amazon.com/blogs/aws/bring_your_own_ea_windows_server_license_to_ec2/ |
ec2:DescribeMovingAddresses | Metadata | |
ec2:DescribeNetworkInterfaceAttribute | Metadata | |
ec2:DescribeNetworkInterfacePermissions | Metadata | Describes the permissions of network interfaces. |
ec2:DescribeNetworkInterfaces | Metadata | |
ec2:DescribePlacementGroups | Metadata | |
ec2:DescribePublicIpv4Pools | Metadata | |
ec2:DescribeIpv6Pools | Metadata | |
ec2:DescribeReplaceRootVolumeTasks | Metadata | |
ec2:DescribeRegions | Metadata | |
ec2:DescribeReservedInstances | Metadata | |
ec2:DescribeReservedInstancesListings | Metadata | |
ec2:DescribeReservedInstancesModifications | Metadata | |
ec2:DescribeReservedInstancesOfferings | Metadata | |
ec2:DescribeReplaceRootVolumeTasks | Metadata | |
ec2:DescribeScheduledInstanceAvailability | Metadata | |
ec2:DescribeScheduledInstances | Metadata | |
ec2:DescribeSecurityGroupReferences | Metadata | |
ec2:DescribeSecurityGroups | Metadata | |
ec2:DescribeSnapshotAttribute | Metadata | |
ec2:DescribeSnapshotTierStatus | Metadata | |
ec2:DescribeSnapshots | Metadata | |
ec2:DescribeSpotDatafeedSubscription | Metadata | |
ec2:DescribeSpotFleetInstances | Metadata | |
ec2:DescribeSpotFleetRequestHistory | Metadata | |
ec2:DescribeSpotFleetRequests | Metadata | |
ec2:DescribeSpotInstanceRequests | Metadata | |
ec2:DescribeSpotPriceHistory | Metadata | |
ec2:DescribeStaleSecurityGroups | Metadata | |
ec2:DescribeStoreImageTasks | Metadata | |
ec2:DescribeTags | Metadata | |
ec2:DescribeVolumeAttribute | Metadata | |
ec2:DescribeVolumeStatus | Metadata | |
ec2:DescribeVolumes | Metadata | |
ec2:DescribeVolumesModifications | Metadata | |
ec2:DetachClassicLinkVpc | Admin | |
ec2:DetachNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:DetachVolume | Admin | |
ec2:DisableEbsEncryptionByDefault | Admin | Admins can disable EBS Encryption by Default. |
ec2:DisableFastSnapshotRestores | Admin | |
ec2:DisableImageDeprecation | Admin | |
ec2:DisableSerialConsoleAccess | Admin | |
ec2:DisassociateAddress | Admin | Admins can disassociate elastic IP addresses. |
ec2:DisassociateEnclaveCertificateIamRole | Admin | |
ec2:DisassociateIamInstanceProfile | Admin | Admins manage IAM instance profile associations for existing instances. |
ec2:DisassociateInstanceEventWindow | Admin | |
ec2:DisassociateTrunkInterface | Admin | |
ec2:EnableFastSnapshotRestores | Admin | |
ec2:EnableImageDeprecation | Admin | |
ec2:EnableSerialConsoleAccess | Admin | |
ec2:EnableEbsEncryptionByDefault | Admin | Admins can enable EBS Encryption by Default. |
ec2:EnableVolumeIO | Admin | |
ec2:ExportImage | Operator | |
ec2:GetAssociatedEnclaveCertificateIamRoles | Metadata | |
ec2:GetCapacityReservationUsage | Metadata | |
ec2:GetConsoleOutput | Metadata | Allows viewing of console data from machines; helpful for monitoring & investigating system during bootup. Considered to be metadata not ReadOnly since systems should not be logging sensitive information and it's a key part of troubleshooting before needing access to the actual machine (which would obviously be at least ReadOnly). |
ec2:GetConsoleScreenshot | Metadata | Allows viewing of on-demand screenshot of instance console for machines which is helpful for monitoring & investigating systems when they become unreachable via RDS and SSH. Considered to be metadata and not ReadOnly since it's a key part of troubleshooting when the instance is unreachable. |
ec2:GetDefaultCreditSpecification | Metadata | |
ec2:GetEbsDefaultKmsKeyId | Metadata | |
ec2:GetEbsEncryptionByDefault | Metadata | |
ec2:GetGroupsForCapacityReservation | Metadata | |
ec2:GetHostReservationPurchasePreview | Metadata | Allows preview of host reservation purchase but does not result in offering being purchased. |
ec2:GetInstanceTypesFromInstanceRequirements | Metadata | |
ec2:GetLaunchTemplateData | Metadata | Launch template data contains metadata about the EC2 instance. |
ec2:GetPasswordData | Admin | Required for launch of Windows machines and used with key pairs. |
ec2:GetReservedInstancesExchangeQuote | Metadata | |
ec2:GetSerialConsoleAccessStatus | Metadata | |
ec2:GetSpotPlacementScores | Metadata | |
ec2:ImportImage | Whitelist | Optional VM import |
ec2:ImportInstance | Whitelist | Optional VM import |
ec2:ImportKeyPair | Admin | Administrators use key pairs when starting new instances. This should be moved to an option in the future when Turbot supports non-key pair based login. |
ec2:ImportSnapshot | Whitelist | Optional VM import |
ec2:ImportVolume | Whitelist | Optional VM import |
ec2:ListSnapshotsInRecycleBin | Metadata | |
ec2:ModifyAvailabilityZoneGroup | Admin | |
ec2:ModifyCapacityReservation | Admin | |
ec2:ModifyCapacityReservationFleet | Admin | |
ec2:ModifyDefaultCreditSpecification | Admin | |
ec2:ModifyEbsDefaultKmsKeyId | Admin | Admins can update default KMS key for EBS Encryption by Default. |
ec2:ModifyFleet | Admin | |
ec2:ModifyFpgaImageAttribute | Admin | Modifies the specified attributes(description |
ec2:ModifyHosts | Admin | |
ec2:ModifyIdFormat | Admin | |
ec2:ModifyIdentityIdFormat | Admin | |
ec2:ModifyInstanceEventWindow | Admin | |
ec2:ModifyImageAttribute | Whitelist | Optional image attribute management |
ec2:ModifyInstanceAttribute | Admin | Accounts can manage their own instances. |
ec2:ModifyInstanceCapacityReservationAttributes | Admin | |
ec2:ModifyInstanceCreditSpecification | Admin | |
ec2:ModifyInstanceEventStartTime | Admin | |
ec2:ModifyInstanceMetadataOptions | Admin | |
ec2:ModifyInstancePlacement | Admin | |
ec2:ModifyLaunchTemplate | Admin | |
ec2:ModifyNetworkInterfaceAttribute | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:ModifyReservedInstances | Admin | Accounts can manage their own reserved instances (but cannot resell them). |
ec2:ModifySnapshotTier | Admin | |
ec2:ModifySnapshotAttribute | Admin | Allows for cross-account access. |
ec2:ModifySpotFleetRequest | Admin | |
ec2:ModifyVolume | Admin | Within account storage performance changes. |
ec2:ModifyVolumeAttribute | Admin | Within account storage performance changes. |
ec2:MonitorInstances | Admin | Monitoring frequency is managed by accounts. |
ec2:MoveAddressToVpc | Admin | |
ec2:PurchaseHostReservation | Admin | Accounts can manage their own dedicated hosts. |
ec2:PurchaseReservedInstancesOffering | Admin | Accounts can manage their own reserved instances (but cannot resell them). |
ec2:PurchaseScheduledInstances | Owner | Long term subscriptions are managed by owners. |
ec2:RebootInstances | Operator | Operators can start stop and reboot existing instances. |
ec2:RegisterImage | Whitelist | Optional image management. Registers an AMI for launching; typically done automatically as part of CreateImage |
ec2:RegisterInstanceEventNotificationAttributes | Admin | |
ec2:ReleaseAddress | Admin | Admins can release elastic IP addresses. |
ec2:ReleaseHosts | Admin | |
ec2:ReplaceIamInstanceProfileAssociation | Admin | Admins manage IAM instance profile associations for existing instances. |
ec2:ReportInstanceStatus | Operator | Operators can report bad instances to AWS support. |
ec2:RequestSpotFleet | Admin | |
ec2:RequestSpotInstances | Admin | Accounts can safely use spot instances within their VPC. |
ec2:ResetEbsDefaultKmsKeyId | Admin | Admins can reset default KMS key for EBS Encryption by Default to the AWS managed CMK for EBS. |
ec2:ResetFpgaImageAttribute | Admin | Resets the the load permission attribute. |
ec2:ResetImageAttribute | Whitelist | Optional image attribute management |
ec2:ResetInstanceAttribute | Admin | Instances are managed by accounts. |
ec2:ResetNetworkInterfaceAttribute | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:ResetSnapshotAttribute | Admin | |
ec2:RestoreAddressToClassic | Admin | EC2 classic should not be used |
ec2:RestoreSnapshotTier | Admin | |
ec2:RestoreSnapshotFromRecycleBin | Admin | |
ec2:RunInstances | Admin | Only Admin can create new instances. |
ec2:RunScheduledInstances | Admin | |
ec2:SendDiagnosticInterrupt | Admin | |
ec2:SendSpotInstanceInterruptions | Admin | |
ec2:StartInstances | Operator | Operators can start stop and reboot existing instances. |
ec2:StopInstances | Operator | Operators can start stop and reboot existing instances. |
ec2:TerminateInstances | Admin | Only Admin can terminate instances. |
ec2:UnassignIpv6Addresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:UnassignPrivateIpAddresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:UnmonitorInstances | Admin | Monitoring frequency is managed by accounts. |
elastic-inference:Connect | Admin | |
elasticloadbalancing:AddListenerCertificates | Admin | Admin can add specified certificate to the specified secure listener. |
elasticloadbalancing:AddTags | Operator | Operators can manage tags metadata about ELB. |
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:AttachLoadBalancerToSubnets | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:ConfigureHealthCheck | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateAppCookieStickinessPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLBCookieStickinessPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateListener | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancerListeners | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancerListeners | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancerPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateRule | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateTargetGroup | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteListener | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteLoadBalancerListeners | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteLoadBalancerPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteRule | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteTargetGroup | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeregisterInstancesFromLoadBalancer | Operator | Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers. |
elasticloadbalancing:DeregisterTargets | Operator | Operators can manage individual instances on the ALB as part of being able to stop start and reboot servers. |
elasticloadbalancing:DescribeAccountLimits | Metadata | |
elasticloadbalancing:DescribeInstanceHealth | Metadata | |
elasticloadbalancing:DescribeListenerCertificates | Metadata | |
elasticloadbalancing:DescribeListeners | Metadata | |
elasticloadbalancing:DescribeLoadBalancerAttributes | Metadata | |
elasticloadbalancing:DescribeLoadBalancerPolicies | Metadata | |
elasticloadbalancing:DescribeLoadBalancerPolicyTypes | Metadata | |
elasticloadbalancing:DescribeLoadBalancers | Metadata | |
elasticloadbalancing:DescribeRules | Metadata | |
elasticloadbalancing:DescribeSSLPolicies | Metadata | |
elasticloadbalancing:DescribeTags | Metadata | |
elasticloadbalancing:DescribeTargetGroupAttributes | Metadata | |
elasticloadbalancing:DescribeTargetGroups | Metadata | |
elasticloadbalancing:DescribeTargetHealth | Metadata | |
elasticloadbalancing:DetachLoadBalancerFromSubnets | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyListener | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyLoadBalancerAttributes | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyRule | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyTargetGroup | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyTargetGroupAttributes | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:RegisterInstancesWithLoadBalancer | Operator | Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers. |
elasticloadbalancing:RegisterTargets | Operator | Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers. |
elasticloadbalancing:RemoveListenerCertificates | Admin | Admin can remove the specified certificate from the specified secure listener. |
elasticloadbalancing:RemoveTags | Operator | Operators can manage tags metadata about ELB. |
elasticloadbalancing:SetIpAddressType | Admin | |
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerPoliciesOfListener | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerPoliciesOfListener | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetRulePriorities | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetSecurityGroups | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetSubnets | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetWebAcl | Admin | |
health:DescribeEventAggregates | Metadata | |
iam:PassRole | Admin | |
kms:ListAliases | Metadata | |
marketplacecommerceanalytics:GenerateDataSet | Admin | Administrators may access product and customer data on the AWS Marketplace. |
marketplacecommerceanalytics:StartSupportDataExport | Admin | Administrators may access product and customer data on the AWS Marketplace. |
Learn More About Guardrails
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/aws-kms ^5.0.0
Resource Types
- AWS > EC2
- AWS > EC2 > AMI
- AWS > EC2 > Account Attributes
- AWS > EC2 > Application Load Balancer
- AWS > EC2 > Auto Scaling Group
- AWS > EC2 > Classic Load Balancer
- AWS > EC2 > Classic Load Balancer Listener
- AWS > EC2 > Gateway Load Balancer
- AWS > EC2 > Instance
- AWS > EC2 > Key Pair
- AWS > EC2 > Launch Configuration
- AWS > EC2 > Launch Template
- AWS > EC2 > Launch Template Version
- AWS > EC2 > Listener Rule
- AWS > EC2 > Load Balancer Listener
- AWS > EC2 > Network Interface
- AWS > EC2 > Network Load Balancer
- AWS > EC2 > Snapshot
- AWS > EC2 > Target Group
- AWS > EC2 > Volume
Control Types
- AWS > EC2 > AMI > Active
- AWS > EC2 > AMI > Approved
- AWS > EC2 > AMI > CMDB
- AWS > EC2 > AMI > Configured
- AWS > EC2 > AMI > Discovery
- AWS > EC2 > AMI > Tags
- AWS > EC2 > AMI > Trusted Access
- AWS > EC2 > AMI > Usage
- AWS > EC2 > Account Attributes > CMDB
- AWS > EC2 > Account Attributes > Discovery
- AWS > EC2 > Account Attributes > EBS Encryption by Default
- AWS > EC2 > Application Load Balancer > Access Logging
- AWS > EC2 > Application Load Balancer > Active
- AWS > EC2 > Application Load Balancer > Approved
- AWS > EC2 > Application Load Balancer > CMDB
- AWS > EC2 > Application Load Balancer > Configured
- AWS > EC2 > Application Load Balancer > Discovery
- AWS > EC2 > Application Load Balancer > Tags
- AWS > EC2 > Application Load Balancer > Usage
- AWS > EC2 > Auto Scaling Group > Active
- AWS > EC2 > Auto Scaling Group > Approved
- AWS > EC2 > Auto Scaling Group > CMDB
- AWS > EC2 > Auto Scaling Group > Discovery
- AWS > EC2 > Auto Scaling Group > Tags
- AWS > EC2 > Auto Scaling Group > Usage
- AWS > EC2 > Classic Load Balancer > Access Logging
- AWS > EC2 > Classic Load Balancer > Active
- AWS > EC2 > Classic Load Balancer > Approved
- AWS > EC2 > Classic Load Balancer > CMDB
- AWS > EC2 > Classic Load Balancer > Configured
- AWS > EC2 > Classic Load Balancer > Discovery
- AWS > EC2 > Classic Load Balancer > Tags
- AWS > EC2 > Classic Load Balancer > Usage
- AWS > EC2 > Classic Load Balancer Listener > Active
- AWS > EC2 > Classic Load Balancer Listener > Approved
- AWS > EC2 > Classic Load Balancer Listener > CMDB
- AWS > EC2 > Classic Load Balancer Listener > Discovery
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy
- AWS > EC2 > Classic Load Balancer Listener > Usage
- AWS > EC2 > Gateway Load Balancer > Active
- AWS > EC2 > Gateway Load Balancer > Approved
- AWS > EC2 > Gateway Load Balancer > CMDB
- AWS > EC2 > Gateway Load Balancer > Discovery
- AWS > EC2 > Gateway Load Balancer > Tags
- AWS > EC2 > Gateway Load Balancer > Usage
- AWS > EC2 > Instance > Active
- AWS > EC2 > Instance > Approved
- AWS > EC2 > Instance > CMDB
- AWS > EC2 > Instance > Configured
- AWS > EC2 > Instance > Detailed Monitoring
- AWS > EC2 > Instance > Discovery
- AWS > EC2 > Instance > Instance Profile
- AWS > EC2 > Instance > Metadata Service
- AWS > EC2 > Instance > Schedule
- AWS > EC2 > Instance > Tags
- AWS > EC2 > Instance > Termination Protection
- AWS > EC2 > Instance > Usage
- AWS > EC2 > Key Pair > Active
- AWS > EC2 > Key Pair > Approved
- AWS > EC2 > Key Pair > CMDB
- AWS > EC2 > Key Pair > Discovery
- AWS > EC2 > Key Pair > Tags
- AWS > EC2 > Key Pair > Usage
- AWS > EC2 > Launch Configuration > Active
- AWS > EC2 > Launch Configuration > Approved
- AWS > EC2 > Launch Configuration > CMDB
- AWS > EC2 > Launch Configuration > Discovery
- AWS > EC2 > Launch Configuration > Usage
- AWS > EC2 > Launch Template > Active
- AWS > EC2 > Launch Template > Approved
- AWS > EC2 > Launch Template > CMDB
- AWS > EC2 > Launch Template > Discovery
- AWS > EC2 > Launch Template > Tags
- AWS > EC2 > Launch Template > Usage
- AWS > EC2 > Launch Template Version > Active
- AWS > EC2 > Launch Template Version > Approved
- AWS > EC2 > Launch Template Version > CMDB
- AWS > EC2 > Launch Template Version > Discovery
- AWS > EC2 > Launch Template Version > Usage
- AWS > EC2 > Listener Rule > Active
- AWS > EC2 > Listener Rule > Approved
- AWS > EC2 > Listener Rule > CMDB
- AWS > EC2 > Listener Rule > Configured
- AWS > EC2 > Listener Rule > Discovery
- AWS > EC2 > Listener Rule > Usage
- AWS > EC2 > Load Balancer Listener > Active
- AWS > EC2 > Load Balancer Listener > Approved
- AWS > EC2 > Load Balancer Listener > CMDB
- AWS > EC2 > Load Balancer Listener > Configured
- AWS > EC2 > Load Balancer Listener > Discovery
- AWS > EC2 > Load Balancer Listener > SSL Policy
- AWS > EC2 > Load Balancer Listener > Usage
- AWS > EC2 > Network Interface > Active
- AWS > EC2 > Network Interface > Approved
- AWS > EC2 > Network Interface > CMDB
- AWS > EC2 > Network Interface > Configured
- AWS > EC2 > Network Interface > Discovery
- AWS > EC2 > Network Interface > Tags
- AWS > EC2 > Network Interface > Usage
- AWS > EC2 > Network Load Balancer > Access Logging
- AWS > EC2 > Network Load Balancer > Active
- AWS > EC2 > Network Load Balancer > Approved
- AWS > EC2 > Network Load Balancer > CMDB
- AWS > EC2 > Network Load Balancer > Configured
- AWS > EC2 > Network Load Balancer > Discovery
- AWS > EC2 > Network Load Balancer > Tags
- AWS > EC2 > Network Load Balancer > Usage
- AWS > EC2 > Snapshot > Active
- AWS > EC2 > Snapshot > Approved
- AWS > EC2 > Snapshot > CMDB
- AWS > EC2 > Snapshot > Configured
- AWS > EC2 > Snapshot > Discovery
- AWS > EC2 > Snapshot > Tags
- AWS > EC2 > Snapshot > Trusted Access
- AWS > EC2 > Snapshot > Usage
- AWS > EC2 > Target Group > Active
- AWS > EC2 > Target Group > Approved
- AWS > EC2 > Target Group > CMDB
- AWS > EC2 > Target Group > Configured
- AWS > EC2 > Target Group > Discovery
- AWS > EC2 > Target Group > Tags
- AWS > EC2 > Target Group > Usage
- AWS > EC2 > Volume > Active
- AWS > EC2 > Volume > Approved
- AWS > EC2 > Volume > CMDB
- AWS > EC2 > Volume > Configured
- AWS > EC2 > Volume > Discovery
- AWS > EC2 > Volume > Tags
- AWS > EC2 > Volume > Usage
Policy Types
- AWS > EC2 > AMI > Active
- AWS > EC2 > AMI > Active > Age
- AWS > EC2 > AMI > Active > Budget
- AWS > EC2 > AMI > Active > Last Modified
- AWS > EC2 > AMI > Approved
- AWS > EC2 > AMI > Approved > Budget
- AWS > EC2 > AMI > Approved > Custom
- AWS > EC2 > AMI > Approved > Regions
- AWS > EC2 > AMI > Approved > Usage
- AWS > EC2 > AMI > CMDB
- AWS > EC2 > AMI > Configured
- AWS > EC2 > AMI > Configured > Claim Precedence
- AWS > EC2 > AMI > Configured > Source
- AWS > EC2 > AMI > Regions
- AWS > EC2 > AMI > Tags
- AWS > EC2 > AMI > Tags > Template
- AWS > EC2 > AMI > Trusted Access
- AWS > EC2 > AMI > Trusted Access > Accounts
- AWS > EC2 > AMI > Usage
- AWS > EC2 > AMI > Usage > Limit
- AWS > EC2 > API Enabled
- AWS > EC2 > Account Attributes > CMDB
- AWS > EC2 > Account Attributes > EBS Encryption by Default
- AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
- AWS > EC2 > Account Attributes > Regions
- AWS > EC2 > Application Load Balancer > Access Logging
- AWS > EC2 > Application Load Balancer > Access Logging > Bucket
- AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Application Load Balancer > Active
- AWS > EC2 > Application Load Balancer > Active > Age
- AWS > EC2 > Application Load Balancer > Active > Budget
- AWS > EC2 > Application Load Balancer > Active > Last Modified
- AWS > EC2 > Application Load Balancer > Approved
- AWS > EC2 > Application Load Balancer > Approved > Budget
- AWS > EC2 > Application Load Balancer > Approved > Custom
- AWS > EC2 > Application Load Balancer > Approved > Regions
- AWS > EC2 > Application Load Balancer > Approved > Usage
- AWS > EC2 > Application Load Balancer > CMDB
- AWS > EC2 > Application Load Balancer > Configured
- AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Application Load Balancer > Configured > Source
- AWS > EC2 > Application Load Balancer > Regions
- AWS > EC2 > Application Load Balancer > Tags
- AWS > EC2 > Application Load Balancer > Tags > Template
- AWS > EC2 > Application Load Balancer > Usage
- AWS > EC2 > Application Load Balancer > Usage > Limit
- AWS > EC2 > Approved Regions [Default]
- AWS > EC2 > Auto Scaling Group > Active
- AWS > EC2 > Auto Scaling Group > Active > Age
- AWS > EC2 > Auto Scaling Group > Active > Last Modified
- AWS > EC2 > Auto Scaling Group > Approved
- AWS > EC2 > Auto Scaling Group > Approved > Custom
- AWS > EC2 > Auto Scaling Group > Approved > Regions
- AWS > EC2 > Auto Scaling Group > Approved > Usage
- AWS > EC2 > Auto Scaling Group > CMDB
- AWS > EC2 > Auto Scaling Group > Regions
- AWS > EC2 > Auto Scaling Group > Tags
- AWS > EC2 > Auto Scaling Group > Tags > Template
- AWS > EC2 > Auto Scaling Group > Usage
- AWS > EC2 > Auto Scaling Group > Usage > Limit
- AWS > EC2 > Classic Load Balancer > Access Logging
- AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
- AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Classic Load Balancer > Active
- AWS > EC2 > Classic Load Balancer > Active > Age
- AWS > EC2 > Classic Load Balancer > Active > Budget
- AWS > EC2 > Classic Load Balancer > Active > Last Modified
- AWS > EC2 > Classic Load Balancer > Approved
- AWS > EC2 > Classic Load Balancer > Approved > Budget
- AWS > EC2 > Classic Load Balancer > Approved > Custom
- AWS > EC2 > Classic Load Balancer > Approved > Regions
- AWS > EC2 > Classic Load Balancer > Approved > Usage
- AWS > EC2 > Classic Load Balancer > CMDB
- AWS > EC2 > Classic Load Balancer > Configured
- AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Classic Load Balancer > Configured > Source
- AWS > EC2 > Classic Load Balancer > Regions
- AWS > EC2 > Classic Load Balancer > Tags
- AWS > EC2 > Classic Load Balancer > Tags > Template
- AWS > EC2 > Classic Load Balancer > Usage
- AWS > EC2 > Classic Load Balancer > Usage > Limit
- AWS > EC2 > Classic Load Balancer Listener > Active
- AWS > EC2 > Classic Load Balancer Listener > Active > Age
- AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Classic Load Balancer Listener > Approved
- AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
- AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
- AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
- AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
- AWS > EC2 > Classic Load Balancer Listener > CMDB
- AWS > EC2 > Classic Load Balancer Listener > Regions
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
- AWS > EC2 > Classic Load Balancer Listener > Usage
- AWS > EC2 > Classic Load Balancer Listener > Usage > Limit
- AWS > EC2 > Enabled
- AWS > EC2 > Gateway Load Balancer > Active
- AWS > EC2 > Gateway Load Balancer > Active > Age
- AWS > EC2 > Gateway Load Balancer > Active > Budget
- AWS > EC2 > Gateway Load Balancer > Active > Last Modified
- AWS > EC2 > Gateway Load Balancer > Approved
- AWS > EC2 > Gateway Load Balancer > Approved > Budget
- AWS > EC2 > Gateway Load Balancer > Approved > Custom
- AWS > EC2 > Gateway Load Balancer > Approved > Regions
- AWS > EC2 > Gateway Load Balancer > Approved > Usage
- AWS > EC2 > Gateway Load Balancer > CMDB
- AWS > EC2 > Gateway Load Balancer > Regions
- AWS > EC2 > Gateway Load Balancer > Tags
- AWS > EC2 > Gateway Load Balancer > Tags > Template
- AWS > EC2 > Gateway Load Balancer > Usage
- AWS > EC2 > Gateway Load Balancer > Usage > Limit
- AWS > EC2 > Instance > Active
- AWS > EC2 > Instance > Active > Age
- AWS > EC2 > Instance > Active > Budget
- AWS > EC2 > Instance > Active > Last Modified
- AWS > EC2 > Instance > Approved
- AWS > EC2 > Instance > Approved > Budget
- AWS > EC2 > Instance > Approved > Custom
- AWS > EC2 > Instance > Approved > Image
- AWS > EC2 > Instance > Approved > Image > AMI IDs
- AWS > EC2 > Instance > Approved > Image > Publishers
- AWS > EC2 > Instance > Approved > Instance Types
- AWS > EC2 > Instance > Approved > Public IP
- AWS > EC2 > Instance > Approved > Regions
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > Customer Managed Key
- AWS > EC2 > Instance > Approved > Usage
- AWS > EC2 > Instance > CMDB
- AWS > EC2 > Instance > CMDB > Attributes
- AWS > EC2 > Instance > Configured
- AWS > EC2 > Instance > Configured > Claim Precedence
- AWS > EC2 > Instance > Configured > Source
- AWS > EC2 > Instance > Default Platform
- AWS > EC2 > Instance > Detailed Monitoring
- AWS > EC2 > Instance > Instance Profile
- AWS > EC2 > Instance > Instance Profile > Name
- AWS > EC2 > Instance > Metadata Service
- AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit
- AWS > EC2 > Instance > Regions
- AWS > EC2 > Instance > Schedule
- AWS > EC2 > Instance > Schedule Tag
- AWS > EC2 > Instance > Schedule Tag > Name
- AWS > EC2 > Instance > Tags
- AWS > EC2 > Instance > Tags > Inventory Collection
- AWS > EC2 > Instance > Tags > Template
- AWS > EC2 > Instance > Termination Protection
- AWS > EC2 > Instance > Usage
- AWS > EC2 > Instance > Usage > Limit
- AWS > EC2 > Key Pair > Active
- AWS > EC2 > Key Pair > Active > Age
- AWS > EC2 > Key Pair > Active > Budget
- AWS > EC2 > Key Pair > Active > Last Modified
- AWS > EC2 > Key Pair > Approved
- AWS > EC2 > Key Pair > Approved > Budget
- AWS > EC2 > Key Pair > Approved > Custom
- AWS > EC2 > Key Pair > Approved > Regions
- AWS > EC2 > Key Pair > Approved > Usage
- AWS > EC2 > Key Pair > CMDB
- AWS > EC2 > Key Pair > Regions
- AWS > EC2 > Key Pair > Tags
- AWS > EC2 > Key Pair > Tags > Template
- AWS > EC2 > Key Pair > Usage
- AWS > EC2 > Key Pair > Usage > Limit
- AWS > EC2 > Launch Configuration > Active
- AWS > EC2 > Launch Configuration > Active > Age
- AWS > EC2 > Launch Configuration > Active > Last Modified
- AWS > EC2 > Launch Configuration > Approved
- AWS > EC2 > Launch Configuration > Approved > Custom
- AWS > EC2 > Launch Configuration > Approved > Regions
- AWS > EC2 > Launch Configuration > Approved > Usage
- AWS > EC2 > Launch Configuration > CMDB
- AWS > EC2 > Launch Configuration > Regions
- AWS > EC2 > Launch Configuration > Usage
- AWS > EC2 > Launch Configuration > Usage > Limit
- AWS > EC2 > Launch Template > Active
- AWS > EC2 > Launch Template > Active > Age
- AWS > EC2 > Launch Template > Active > Last Modified
- AWS > EC2 > Launch Template > Approved
- AWS > EC2 > Launch Template > Approved > Custom
- AWS > EC2 > Launch Template > Approved > Regions
- AWS > EC2 > Launch Template > Approved > Usage
- AWS > EC2 > Launch Template > CMDB
- AWS > EC2 > Launch Template > Regions
- AWS > EC2 > Launch Template > Tags
- AWS > EC2 > Launch Template > Tags > Template
- AWS > EC2 > Launch Template > Usage
- AWS > EC2 > Launch Template > Usage > Limit
- AWS > EC2 > Launch Template Version > Active
- AWS > EC2 > Launch Template Version > Active > Age
- AWS > EC2 > Launch Template Version > Active > Last Modified
- AWS > EC2 > Launch Template Version > Approved
- AWS > EC2 > Launch Template Version > Approved > Custom
- AWS > EC2 > Launch Template Version > Approved > Regions
- AWS > EC2 > Launch Template Version > Approved > Usage
- AWS > EC2 > Launch Template Version > CMDB
- AWS > EC2 > Launch Template Version > Regions
- AWS > EC2 > Launch Template Version > Usage
- AWS > EC2 > Launch Template Version > Usage > Limit
- AWS > EC2 > Listener Rule > Active
- AWS > EC2 > Listener Rule > Active > Age
- AWS > EC2 > Listener Rule > Active > Budget
- AWS > EC2 > Listener Rule > Active > Last Modified
- AWS > EC2 > Listener Rule > Approved
- AWS > EC2 > Listener Rule > Approved > Budget
- AWS > EC2 > Listener Rule > Approved > Custom
- AWS > EC2 > Listener Rule > Approved > Regions
- AWS > EC2 > Listener Rule > Approved > Usage
- AWS > EC2 > Listener Rule > CMDB
- AWS > EC2 > Listener Rule > Configured
- AWS > EC2 > Listener Rule > Configured > Claim Precedence
- AWS > EC2 > Listener Rule > Configured > Source
- AWS > EC2 > Listener Rule > Regions
- AWS > EC2 > Listener Rule > Usage
- AWS > EC2 > Listener Rule > Usage > Limit
- AWS > EC2 > Load Balancer Listener > Active
- AWS > EC2 > Load Balancer Listener > Active > Age
- AWS > EC2 > Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Load Balancer Listener > Approved
- AWS > EC2 > Load Balancer Listener > Approved > Custom
- AWS > EC2 > Load Balancer Listener > Approved > Ports
- AWS > EC2 > Load Balancer Listener > Approved > Protocols
- AWS > EC2 > Load Balancer Listener > Approved > Regions
- AWS > EC2 > Load Balancer Listener > Approved > Usage
- AWS > EC2 > Load Balancer Listener > CMDB
- AWS > EC2 > Load Balancer Listener > Configured
- AWS > EC2 > Load Balancer Listener > Configured > Claim Precedence
- AWS > EC2 > Load Balancer Listener > Configured > Source
- AWS > EC2 > Load Balancer Listener > Regions
- AWS > EC2 > Load Balancer Listener > SSL Policy
- AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Load Balancer Listener > SSL Policy > Default
- AWS > EC2 > Load Balancer Listener > Usage
- AWS > EC2 > Load Balancer Listener > Usage > Limit
- AWS > EC2 > Network Interface > Active
- AWS > EC2 > Network Interface > Active > Age
- AWS > EC2 > Network Interface > Active > Attached
- AWS > EC2 > Network Interface > Active > Last Modified
- AWS > EC2 > Network Interface > Approved
- AWS > EC2 > Network Interface > Approved > Custom
- AWS > EC2 > Network Interface > Approved > Regions
- AWS > EC2 > Network Interface > Approved > Usage
- AWS > EC2 > Network Interface > CMDB
- AWS > EC2 > Network Interface > Configured
- AWS > EC2 > Network Interface > Configured > Claim Precedence
- AWS > EC2 > Network Interface > Configured > Source
- AWS > EC2 > Network Interface > Regions
- AWS > EC2 > Network Interface > Tags
- AWS > EC2 > Network Interface > Tags > Template
- AWS > EC2 > Network Interface > Usage
- AWS > EC2 > Network Interface > Usage > Limit
- AWS > EC2 > Network Load Balancer > Access Logging
- AWS > EC2 > Network Load Balancer > Access Logging > Bucket
- AWS > EC2 > Network Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Network Load Balancer > Active
- AWS > EC2 > Network Load Balancer > Active > Age
- AWS > EC2 > Network Load Balancer > Active > Budget
- AWS > EC2 > Network Load Balancer > Active > Last Modified
- AWS > EC2 > Network Load Balancer > Approved
- AWS > EC2 > Network Load Balancer > Approved > Budget
- AWS > EC2 > Network Load Balancer > Approved > Custom
- AWS > EC2 > Network Load Balancer > Approved > Regions
- AWS > EC2 > Network Load Balancer > Approved > Usage
- AWS > EC2 > Network Load Balancer > CMDB
- AWS > EC2 > Network Load Balancer > Configured
- AWS > EC2 > Network Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Network Load Balancer > Configured > Source
- AWS > EC2 > Network Load Balancer > Regions
- AWS > EC2 > Network Load Balancer > Tags
- AWS > EC2 > Network Load Balancer > Tags > Template
- AWS > EC2 > Network Load Balancer > Usage
- AWS > EC2 > Network Load Balancer > Usage > Limit
- AWS > EC2 > Permissions
- AWS > EC2 > Permissions > Levels
- AWS > EC2 > Permissions > Levels > Ami Publishing Administration
- AWS > EC2 > Permissions > Levels > Auto Scaling Administration
- AWS > EC2 > Permissions > Levels > Local Amis Administration
- AWS > EC2 > Permissions > Levels > Marketplace Subscription Administration
- AWS > EC2 > Permissions > Levels > Modifiers
- AWS > EC2 > Permissions > Lockdown
- AWS > EC2 > Permissions > Lockdown > API Boundary
- AWS > EC2 > Permissions > Lockdown > Instance
- AWS > EC2 > Permissions > Lockdown > Instance > Image
- AWS > EC2 > Permissions > Lockdown > Instance > Image > AMI IDs
- AWS > EC2 > Permissions > Lockdown > Instance > Image > Publishers
- AWS > EC2 > Permissions > Lockdown > Instance Types
- AWS > EC2 > Permissions > Lockdown > Volume Types
- AWS > EC2 > Regions
- AWS > EC2 > Snapshot > Active
- AWS > EC2 > Snapshot > Active > Age
- AWS > EC2 > Snapshot > Active > Budget
- AWS > EC2 > Snapshot > Active > Last Modified
- AWS > EC2 > Snapshot > Approved
- AWS > EC2 > Snapshot > Approved > Budget
- AWS > EC2 > Snapshot > Approved > Custom
- AWS > EC2 > Snapshot > Approved > Encryption at Rest
- AWS > EC2 > Snapshot > Approved > Encryption at Rest > Customer Managed Key
- AWS > EC2 > Snapshot > Approved > Regions
- AWS > EC2 > Snapshot > Approved > Usage
- AWS > EC2 > Snapshot > CMDB
- AWS > EC2 > Snapshot > Configured
- AWS > EC2 > Snapshot > Configured > Claim Precedence
- AWS > EC2 > Snapshot > Configured > Source
- AWS > EC2 > Snapshot > Regions
- AWS > EC2 > Snapshot > Tags
- AWS > EC2 > Snapshot > Tags > Template
- AWS > EC2 > Snapshot > Trusted Access
- AWS > EC2 > Snapshot > Trusted Access > Accounts
- AWS > EC2 > Snapshot > Usage
- AWS > EC2 > Snapshot > Usage > Limit
- AWS > EC2 > Tags Template [Default]
- AWS > EC2 > Target Group > Active
- AWS > EC2 > Target Group > Active > Age
- AWS > EC2 > Target Group > Active > Last Modified
- AWS > EC2 > Target Group > Approved
- AWS > EC2 > Target Group > Approved > Custom
- AWS > EC2 > Target Group > Approved > Regions
- AWS > EC2 > Target Group > Approved > Usage
- AWS > EC2 > Target Group > CMDB
- AWS > EC2 > Target Group > Configured
- AWS > EC2 > Target Group > Configured > Claim Precedence
- AWS > EC2 > Target Group > Configured > Source
- AWS > EC2 > Target Group > Regions
- AWS > EC2 > Target Group > Tags
- AWS > EC2 > Target Group > Tags > Template
- AWS > EC2 > Target Group > Usage
- AWS > EC2 > Target Group > Usage > Limit
- AWS > EC2 > Trusted Accounts [Default]
- AWS > EC2 > Volume > Active
- AWS > EC2 > Volume > Active > Age
- AWS > EC2 > Volume > Active > Attached
- AWS > EC2 > Volume > Active > Budget
- AWS > EC2 > Volume > Active > Last Modified
- AWS > EC2 > Volume > Approved
- AWS > EC2 > Volume > Approved > Budget
- AWS > EC2 > Volume > Approved > Custom
- AWS > EC2 > Volume > Approved > Encryption at Rest
- AWS > EC2 > Volume > Approved > Encryption at Rest > Customer Managed Key
- AWS > EC2 > Volume > Approved > Regions
- AWS > EC2 > Volume > Approved > Usage
- AWS > EC2 > Volume > Approved > Volume Types
- AWS > EC2 > Volume > CMDB
- AWS > EC2 > Volume > CMDB > Attributes
- AWS > EC2 > Volume > Configured
- AWS > EC2 > Volume > Configured > Claim Precedence
- AWS > EC2 > Volume > Configured > Source
- AWS > EC2 > Volume > Regions
- AWS > EC2 > Volume > Tags
- AWS > EC2 > Volume > Tags > Template
- AWS > EC2 > Volume > Usage
- AWS > EC2 > Volume > Usage > Limit
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-ec2
Release Notes
5.35.0 (2023-09-15)
Bug fixes
- After starting/stopping an instance successfully, the
AWS > EC2 > Instance > Schedule
control would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.
Policy Types
Added
- AWS > EC2 > Instance > Schedule Tag > Name
5.34.0 (2023-08-01)
What's new?
- We'd sometimes fail to update/cleanup stopped/terminated instances via real-time events if the instances were handled via OS level commands. We've now added support for real-time event handling of EC2 Instance State-change Notification to process
EC2:StopInstances
andEC2:TerminateInstances
events more reliably than before. Please note that this feature will only be enabled if theaws
mod is on version 5.26.0 or higher. - README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
5.33.0 (2023-06-29)
What's new?
- The
AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
andAWS > EC2 > Load Balancer Listener > SSL Policy > Default
policies now include TLS 1.3 policies in the list of AWS SSL policies that the AWS EC2 load balancer listener can use.
Bug fixes
- The
AWS > EC2 > Key Pair > Discovery
control would sometimes go into an error state if a Key Pair alias included a backslash. This is now fixed.
5.32.0 (2023-06-01)
What's new?
- Resource's metadata will now also include
createdBy
details in Turbot CMDB. - We've added new Turbot AKAs for
AWS > EC2
resource types that match their individual unique identifiers. E.g.InstanceId
will now also be a Turbot AKA forAWS > EC2 > Instance
,VolumeId
forAWS > EC2 > Volume
etc.. Querying such resources in Turbot will now be easier than before.
5.31.8 (2023-05-12)
Bug fixes
- In a busy environment, the
AWS > EC2 > Instance > Approved
control would sometimes evaluateRoot Volume Encryption
incorrectly and set it toNot approved
even before gauging all parameters for root volume encryption. This is fixed andRoot Volume Encryption
will now be correctly evaluated before setting the final state of the control.
5.31.7 (2023-03-08)
Bug fixes
- We've updated the EventBridge Rule for
ElasticLoadBalancing
to filter outelasticloadbalancing:DeregisterTargets
andelasticloadbalancing:RegisterTargets
real-time events to reduce unnecessary noise caused by the processing of such events in Turbot.
5.31.6 (2022-12-13)
Bug fixes
- The
StateReason
attribute in instance's CMDB data would sometimes fail to update correctly if an instance was started/stopped. This is now fixed.
5.31.5 (2022-11-15)
Bug fixes
- Turbot would sometimes fail to process the
ec2:CreateVolume
real-time event and not upsert the volume correctly in Turbot. This is fixed and volumes will now be discovered and upserted in Turbot more reliably and consistently than before.
5.31.4 (2022-11-08)
Bug fixes
- Previously, for any missing instance, volume, snapshot or a key pair in Turbot, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Turbot CMDB to allow users to manage their resources more reliably and consistently than before.
5.31.3 (2022-09-30)
Bug fixes
- The
AWS > EC2 > Instance > Schedule
control would sometimes fail to start/stop an instance as defined inAWS > EC2 > Instance > Schedule
policy. This is fixed and the control will now start/stop instances more reliably and consistently than before.
5.31.2 (2022-07-18)
Bug fixes
- We'd sometimes fail to capture start/stop real-time events for instances when multiple instances were started or stopped at the same time. This is fixed and the CMDB data for such instances will now be more consistent and reflect accurate status details.
5.31.1 (2022-07-13)
Bug fixes
- The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.
5.31.0 (2022-07-12)
What's new?
- Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information. - README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
Action Types
Added
- AWS > EC2 > AMI > Delete from AWS
- AWS > EC2 > AMI > Set Tags
- AWS > EC2 > AMI > Skip alarm for Active control
- AWS > EC2 > AMI > Skip alarm for Active control [90 days]
- AWS > EC2 > AMI > Skip alarm for Approved control
- AWS > EC2 > AMI > Skip alarm for Approved control [90 days]
- AWS > EC2 > AMI > Skip alarm for Tags control
- AWS > EC2 > AMI > Skip alarm for Tags control [90 days]
- AWS > EC2 > Application Load Balancer > Delete from AWS
- AWS > EC2 > Application Load Balancer > Set Tags
- AWS > EC2 > Application Load Balancer > Skip alarm for Active control
- AWS > EC2 > Application Load Balancer > Skip alarm for Active control [90 days]
- AWS > EC2 > Application Load Balancer > Skip alarm for Approved control
- AWS > EC2 > Application Load Balancer > Skip alarm for Approved control [90 days]
- AWS > EC2 > Application Load Balancer > Skip alarm for Tags control
- AWS > EC2 > Application Load Balancer > Skip alarm for Tags control [90 days]
- AWS > EC2 > Auto Scaling Group > Delete from AWS
- AWS > EC2 > Auto Scaling Group > Set Tags
- AWS > EC2 > Auto Scaling Group > Skip alarm for Active control
- AWS > EC2 > Auto Scaling Group > Skip alarm for Active control [90 days]
- AWS > EC2 > Auto Scaling Group > Skip alarm for Approved control
- AWS > EC2 > Auto Scaling Group > Skip alarm for Approved control [90 days]
- AWS > EC2 > Auto Scaling Group > Skip alarm for Tags control
- AWS > EC2 > Auto Scaling Group > Skip alarm for Tags control [90 days]
- AWS > EC2 > Classic Load Balancer > Delete from AWS
- AWS > EC2 > Classic Load Balancer > Set Tags
- AWS > EC2 > Classic Load Balancer > Skip alarm for Active control
- AWS > EC2 > Classic Load Balancer > Skip alarm for Active control [90 days]
- AWS > EC2 > Classic Load Balancer > Skip alarm for Approved control
- AWS > EC2 > Classic Load Balancer > Skip alarm for Approved control [90 days]
- AWS > EC2 > Classic Load Balancer > Skip alarm for Tags control
- AWS > EC2 > Classic Load Balancer > Skip alarm for Tags control [90 days]
- AWS > EC2 > Classic Load Balancer Listener > Delete from AWS
- AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Active control
- AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Active control [90 days]
- AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Approved control
- AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Approved control [90 days]
- AWS > EC2 > Gateway Load Balancer > Delete from AWS
- AWS > EC2 > Gateway Load Balancer > Set Tags
- AWS > EC2 > Gateway Load Balancer > Skip alarm for Active control
- AWS > EC2 > Gateway Load Balancer > Skip alarm for Active control [90 days]
- AWS > EC2 > Gateway Load Balancer > Skip alarm for Approved control
- AWS > EC2 > Gateway Load Balancer > Skip alarm for Approved control [90 days]
- AWS > EC2 > Gateway Load Balancer > Skip alarm for Tags control
- AWS > EC2 > Gateway Load Balancer > Skip alarm for Tags control [90 days]
- AWS > EC2 > Instance > Delete from AWS
- AWS > EC2 > Instance > Disable Termination Protection
- AWS > EC2 > Instance > Enable Termination Protection
- AWS > EC2 > Instance > Set Tags
- AWS > EC2 > Instance > Skip alarm for Active control
- AWS > EC2 > Instance > Skip alarm for Active control [90 days]
- AWS > EC2 > Instance > Skip alarm for Approved control
- AWS > EC2 > Instance > Skip alarm for Approved control [90 days]
- AWS > EC2 > Instance > Skip alarm for Tags control
- AWS > EC2 > Instance > Skip alarm for Tags control [90 days]
- AWS > EC2 > Instance > Start Instance
- AWS > EC2 > Instance > Stop Instance
- AWS > EC2 > Key Pair > Delete from AWS
- AWS > EC2 > Key Pair > Set Tags
- AWS > EC2 > Key Pair > Skip alarm for Active control
- AWS > EC2 > Key Pair > Skip alarm for Active control [90 days]
- AWS > EC2 > Key Pair > Skip alarm for Approved control
- AWS > EC2 > Key Pair > Skip alarm for Approved control [90 days]
- AWS > EC2 > Key Pair > Skip alarm for Tags control
- AWS > EC2 > Key Pair > Skip alarm for Tags control [90 days]
- AWS > EC2 > Launch Configuration > Delete from AWS
- AWS > EC2 > Launch Configuration > Skip alarm for Active control
- AWS > EC2 > Launch Configuration > Skip alarm for Active control [90 days]
- AWS > EC2 > Launch Configuration > Skip alarm for Approved control
- AWS > EC2 > Launch Configuration > Skip alarm for Approved control [90 days]
- AWS > EC2 > Launch Template > Delete from AWS
- AWS > EC2 > Launch Template > Set Tags
- AWS > EC2 > Launch Template > Skip alarm for Active control
- AWS > EC2 > Launch Template > Skip alarm for Active control [90 days]
- AWS > EC2 > Launch Template > Skip alarm for Approved control
- AWS > EC2 > Launch Template > Skip alarm for Approved control [90 days]
- AWS > EC2 > Launch Template > Skip alarm for Tags control
- AWS > EC2 > Launch Template > Skip alarm for Tags control [90 days]
- AWS > EC2 > Launch Template Version > Delete from AWS
- AWS > EC2 > Launch Template Version > Skip alarm for Active control
- AWS > EC2 > Launch Template Version > Skip alarm for Active control [90 days]
- AWS > EC2 > Launch Template Version > Skip alarm for Approved control
- AWS > EC2 > Launch Template Version > Skip alarm for Approved control [90 days]
- AWS > EC2 > Listener Rule > Delete from AWS
- AWS > EC2 > Listener Rule > Skip alarm for Active control
- AWS > EC2 > Listener Rule > Skip alarm for Active control [90 days]
- AWS > EC2 > Listener Rule > Skip alarm for Approved control
- AWS > EC2 > Listener Rule > Skip alarm for Approved control [90 days]
- AWS > EC2 > Load Balancer Listener > Delete from AWS
- AWS > EC2 > Load Balancer Listener > Skip alarm for Active control
- AWS > EC2 > Load Balancer Listener > Skip alarm for Active control [90 days]
- AWS > EC2 > Load Balancer Listener > Skip alarm for Approved control
- AWS > EC2 > Load Balancer Listener > Skip alarm for Approved control [90 days]
- AWS > EC2 > Network Interface > Delete from AWS
- AWS > EC2 > Network Interface > Set Tags
- AWS > EC2 > Network Interface > Skip alarm for Active control
- AWS > EC2 > Network Interface > Skip alarm for Active control [90 days]
- AWS > EC2 > Network Interface > Skip alarm for Approved control
- AWS > EC2 > Network Interface > Skip alarm for Approved control [90 days]
- AWS > EC2 > Network Interface > Skip alarm for Tags control
- AWS > EC2 > Network Interface > Skip alarm for Tags control [90 days]
- AWS > EC2 > Network Load Balancer > Delete from AWS
- AWS > EC2 > Network Load Balancer > Set Tags
- AWS > EC2 > Network Load Balancer > Skip alarm for Active control
- AWS > EC2 > Network Load Balancer > Skip alarm for Active control [90 days]
- AWS > EC2 > Network Load Balancer > Skip alarm for Approved control
- AWS > EC2 > Network Load Balancer > Skip alarm for Approved control [90 days]
- AWS > EC2 > Network Load Balancer > Skip alarm for Tags control
- AWS > EC2 > Network Load Balancer > Skip alarm for Tags control [90 days]
- AWS > EC2 > Snapshot > Delete from AWS
- AWS > EC2 > Snapshot > Set Tags
- AWS > EC2 > Snapshot > Skip alarm for Active control
- AWS > EC2 > Snapshot > Skip alarm for Active control [90 days]
- AWS > EC2 > Snapshot > Skip alarm for Approved control
- AWS > EC2 > Snapshot > Skip alarm for Approved control [90 days]
- AWS > EC2 > Snapshot > Skip alarm for Tags control
- AWS > EC2 > Snapshot > Skip alarm for Tags control [90 days]
- AWS > EC2 > Target Group > Delete from AWS
- AWS > EC2 > Target Group > Set Tags
- AWS > EC2 > Target Group > Skip alarm for Active control
- AWS > EC2 > Target Group > Skip alarm for Active control [90 days]
- AWS > EC2 > Target Group > Skip alarm for Approved control
- AWS > EC2 > Target Group > Skip alarm for Approved control [90 days]
- AWS > EC2 > Target Group > Skip alarm for Tags control
- AWS > EC2 > Target Group > Skip alarm for Tags control [90 days]
- AWS > EC2 > Volume > Detach, snapshot and delete from AWS
- AWS > EC2 > Volume > Set Tags
- AWS > EC2 > Volume > Skip alarm for Active control
- AWS > EC2 > Volume > Skip alarm for Active control [90 days]
- AWS > EC2 > Volume > Skip alarm for Approved control
- AWS > EC2 > Volume > Skip alarm for Approved control [90 days]
- AWS > EC2 > Volume > Skip alarm for Tags control
- AWS > EC2 > Volume > Skip alarm for Tags control [90 days]
5.30.2 (2022-05-11)
Bug fixes
- The
AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
andAWS > EC2 > Load Balancer Listener > SSL Policy > Default
policies now includeELBSecurityPolicy-FS-1-2-Res-2020-10
in the list of AWS SSL policies that the AWS EC2 load balancer listener can use.
5.30.1 (2022-04-12)
Bug fixes
AWS > EC2 > Snapshot > CMDB
control will now re-run after a 5 minute interval if a snapshot is in a transitional state, e.g.pending
orrecovering
. This will allow the snapshot's CMDB data to be more reliable than before.
5.30.0 (2022-03-04)
Policy Types
Added
- AWS > EC2 > Instance > Default Platform
5.29.1 (2022-03-02)
Bug fixes
- The
AWS > EC2 > Instance > Approved
control would go into an error state if theAWS > EC2 > Instance > Approved > Image > *
policies were set and the AMI was deleted/not available in AWS. This is now fixed. - The
AWS > EC2 > Instance > Approved
control would sometimes go into an error state if theAWS > EC2 > Instance > Approved > Image > Publishers
policy included account IDs. This is now fixed.
5.29.0 (2022-02-04)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custom
policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled
. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
Policy Types
Added
- AWS > EC2 > AMI > Approved > Custom
- AWS > EC2 > Application Load Balancer > Approved > Custom
- AWS > EC2 > Auto Scaling Group > Approved > Custom
- AWS > EC2 > Classic Load Balancer > Approved > Custom
- AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
- AWS > EC2 > Gateway Load Balancer > Approved > Custom
- AWS > EC2 > Instance > Approved > Custom
- AWS > EC2 > Key Pair > Approved > Custom
- AWS > EC2 > Launch Configuration > Approved > Custom
- AWS > EC2 > Launch Template > Approved > Custom
- AWS > EC2 > Launch Template Version > Approved > Custom
- AWS > EC2 > Listener Rule > Approved > Custom
- AWS > EC2 > Load Balancer Listener > Approved > Custom
- AWS > EC2 > Network Interface > Approved > Custom
- AWS > EC2 > Network Load Balancer > Approved > Custom
- AWS > EC2 > Snapshot > Approved > Custom
- AWS > EC2 > Target Group > Approved > Custom
- AWS > EC2 > Volume > Approved > Custom
5.28.4 (2022-02-01)
Bug fixes
- The
AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-ec2
policy would fail to compile the lockdown statements correctly if theAWS > EC2 > Instance > Approved > Image > Publishers
policy included account IDs. This is now fixed.
5.28.3 (2022-01-28)
Bug fixes
- The
AWS > EC2 > Instance > Schedule
control would incorrectly go into a skipped state if theAWS > EC2 > Instance > Schedule
policy was set to Skip but theAWS > EC2 > Instance > Schedule Tag
policy was set toEnforce: Schedule per turbot_custom_schedule tag
. This is fixed and the control will now work as expected.
5.28.2 (2022-01-27)
Bug fixes
- Turbot would sometimes show unnecessary error notifications for volumes in the activity tab while processing
EC2:RunInstances
event. This is now fixed.
5.28.1 (2022-01-17)
Bug fixes
- The
AWS > EC2 > Instance > CMDB
control would delete an instance incorrectly if the AMI used for creating the instance was deleted or made private. This is now fixed.
5.28.0 (2022-01-10)
What's new?
- The
AWS > EC2 > Instance > Approved
control would sometimes go into an Invalid state incorrectly because the root volume attached to the instance was not discovered consistently in Turbot for newly created instances. We've now added support for real-time event handling of EBS Volume Notifications to processEC2:CreateVolume
,EC2:ModifyVolume
andEC2:DeleteVolume
events more reliably than before. This would also enable theAWS > EC2 > Instance > Approved
control to evaluate the outcome correctly and consistently. Please note that this feature will only be enabled if theaws
mod is on version 5.21.0 or higher.
5.27.0 (2021-12-21)
What's new?
AWS/EC2/Admin
AWS/EC2/Metadata
andAWS/EC2/Operator
now include permissions for Capacity Reservation Fleet, Instance Event Window, Managed Prefix List, Snapshots In Recycle Bin, Warm Pool and Public Ipv4 Pool.
Policy Types
Added
- AWS > EC2 > Permissions > Lockdown > Instance
- AWS > EC2 > Permissions > Lockdown > Instance > Image
- AWS > EC2 > Permissions > Lockdown > Instance > Image > AMI IDs
- AWS > EC2 > Permissions > Lockdown > Instance > Image > Publishers
5.26.0 (2021-09-17)
What's new?
- Auto Scaling Group's CMDB data will now include details of its scheduled actions.
Bug fixes
- The security group details under
NetworkInterfaces
in the Instances' CMDB data will now be properly and consistently sorted.
5.25.0 (2021-07-22)
What's new?
AWS/EC2
permission levels now include autoscaling plans, autoscaling instance refresh and public Ipv4 Pool permissions.
5.24.0 (2021-07-08)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
5.23.0 (2021-06-23)
What's new?
AWS/EC2/Admin
now includes capacity reservation, fleet permissions, and elastic inference permissions.AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-ec2
policy now includeselastic-inference:*
andtiros:*
.
5.22.0 (2021-06-21)
Resource Types
Added
- AWS > EC2 > Account Attributes
Control Types
Added
- AWS > EC2 > Account Attributes > CMDB
- AWS > EC2 > Account Attributes > Discovery
- AWS > EC2 > Account Attributes > EBS Encryption by Default
Policy Types
Added
- AWS > EC2 > Account Attributes > CMDB
- AWS > EC2 > Account Attributes > EBS Encryption by Default
- AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
- AWS > EC2 > Account Attributes > Regions
Action Types
Added
- AWS > EC2 > Account Attributes > Router
- AWS > EC2 > Account Attributes > Update EBS Encryption by Default
5.21.6 (2021-05-18)
Bug fixes
- We've improved our retry mechanism for throttling errors on API calls to be more efficient. You won’t notice any difference, but things should run better than before.
5.21.5 (2021-05-13)
Bug fixes
We've updated the
AWS > EC2 > Permissions > Lockdown > Instance Types
andAWS > EC2 > Permissions > Lockdown > Volume Types
policies' default values to be[*]
. This will allow these policies to run much lighter and faster than before.We recommend that users include instance types from all
AWS > EC2 > Instance > Approved > Instance Types
policy settings and volume types from allAWS > EC2 > Volume > Approved > Volume Types
policy settings in their respective lockdown policies to ensure that these lockdown policies do not restrict any approved instance or volume types.
5.21.4 (2021-05-06)
Bug fixes
We made some improvements earlier to upsert snapshots automatically if they were created from instances, but that wouldn't work since we did not add the
ec2:CreateSnapshots
event in the EventBridge rule for EC2. This is now fixed and snapshots created from instances will now be upserted automatically via real-time event handling in Turbot.We recommend that users run the
AWS > EC2 > Snapshot > Discovery
control to upsert all snapshots that Turbot might have missed upserting earlier. This will help Turbot manage all such snapshots correctly.
5.21.3 (2021-05-05)
Bug fixes
- The
AWS > EC2 > Instance > CMDB
control would sometimes go into an error state for terminated instances and would fail to delete such instances from Turbot. This is now fixed. - Turbot will now raise
EC2:BidEvictedEvent
events correctly to handle spot instance interruptions for spot instances. - Snapshots created from instances were not upserted automatically into Turbot. This is now fixed.
5.21.2 (2021-04-23)
Bug fixes
- We've improved the way we refresh the CMDB data for instances, snapshots and volumes for tagging events like
EC2:CreateTags
andEC2:DeleteTags
. We understand that API calls are expensive and we'll now make fewer of them for such events, and the respective CMDB controls will run lighter than before.
5.21.1 (2021-04-13)
Bug fixes
- We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.
5.21.0 (2021-04-02)
What's new?
- We've improved our event handling configuration and now filter which AWS events Turbot listens for based on resources' CMDB policies. If a resource's CMDB policy is not set to
Enforce: Enabled
, the EventBridge rules will be configured to not send any events for that resource. This will greatly reduce the number of unnecessary events that Turbot listens for and handles today. Please note that this feature will only be enabled for workspaces on TE v5.36.0 or higher, and the following VPC modsaws-vpc-core
,aws-vpc-internet
,aws-vpc-connect
oraws-vpc-security
, for the ones installed, are on v5.10.0, 5.7.0, 5.5.0 and 5.5.0 or higher respectively, since these VPC mods also use EC2 events for their respective resources. We recommend upgrading theaws-ec2
mod to v5.21.0 first and then upgrade the installed VPC mods to the versions mentioned above for a smooth transition to using the events filtering capability.
Policy Types
Added
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2
Removed
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-ec2
5.20.0 (2021-03-19)
Bug fixes
- The
AWS > EC2 > Snapshot > Approved
control would sometimes go into an error state if the KMS key used to encrypt the snapshot was not available in Turbot CMDB. This is fixed and the control will now work as expected.
Resource Types
Added
- AWS > EC2 > Gateway Load Balancer
Control Types
Added
- AWS > EC2 > Gateway Load Balancer > Active
- AWS > EC2 > Gateway Load Balancer > Approved
- AWS > EC2 > Gateway Load Balancer > CMDB
- AWS > EC2 > Gateway Load Balancer > Discovery
- AWS > EC2 > Gateway Load Balancer > Tags
- AWS > EC2 > Gateway Load Balancer > Usage
Policy Types
Added
- AWS > EC2 > Gateway Load Balancer > Active
- AWS > EC2 > Gateway Load Balancer > Active > Age
- AWS > EC2 > Gateway Load Balancer > Active > Budget
- AWS > EC2 > Gateway Load Balancer > Active > Last Modified
- AWS > EC2 > Gateway Load Balancer > Approved
- AWS > EC2 > Gateway Load Balancer > Approved > Budget
- AWS > EC2 > Gateway Load Balancer > Approved > Regions
- AWS > EC2 > Gateway Load Balancer > Approved > Usage
- AWS > EC2 > Gateway Load Balancer > CMDB
- AWS > EC2 > Gateway Load Balancer > Regions
- AWS > EC2 > Gateway Load Balancer > Tags
- AWS > EC2 > Gateway Load Balancer > Tags > Template
- AWS > EC2 > Gateway Load Balancer > Usage
- AWS > EC2 > Gateway Load Balancer > Usage > Limit
Action Types
Added
- AWS > EC2 > Gateway Load Balancer > Delete
- AWS > EC2 > Gateway Load Balancer > Router
- AWS > EC2 > Gateway Load Balancer > Update Tags
5.19.0 (2021-03-01)
What's new?
We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
While gathering resource data in the
AWS > EC2 > Instance > CMDB
andAWS > EC2 > Volume > CMDB
controls, sometimes we'd hit API throttling errors due to the CMDB controls calling multiple APIs each run in an effort to gather all related resource data. To provide an easy way to configure which APIs are called in each CMDB control, we've added theAWS > EC2 > Instance > CMDB > Attributes
andAWS > EC2 > Volume > CMDB > Attributes
policies.In each of these policies, you can select which attributes Turbot will track in CMDB for the respective resource type. Any unselected attributes will not be tracked, which results in fewer API calls. Please note that if an attribute is changed from tracked to untracked, it will be removed from the resource's CMDB data to avoid us keeping stale information.
Policy Types
Added
- AWS > EC2 > Instance > CMDB > Attributes
- AWS > EC2 > Volume > CMDB > Attributes
5.18.7 (2021-02-09)
Bug fixes
- The
AWS > EC2 > Network Interface > Active
control will no longer go into error if the network interface is detached and the attachment check is enabled. - The
AWS > EC2 > Volume > Active
control will no longer go into error if the volume is detached and the attachment check is enabled. - The
AWS > EC2 > Instance > CMDB
control will no longer attempt to describe the instance's enclave options for instances in the us-gov-east-1 and us-gov-west-1 regions due to lack of GovCloud support.
5.18.6 (2021-02-05)
Bug fixes
- We've updated the
AWS > EC2 > Instance > Discovery
control to sort theNetworkInterfaces
andTags
properties in the same way theAWS > EC2 > Instance > CMDB
control sorts them to ensure instances' CMDB data remains consistent. - The
AWS > EC2 > Instance > Router
action would sometimes throw an error when an instance with no attached volumes was deleted. This is now fixed. - After an instance is terminated, AWS either deletes or detaches any attached volumes based on the volumes'
DeleteOnTermination
setting. For these volumes, sometimes we'd fail to delete or update them respectively in CMDB after handling the instance termination event. Both of these cases are now fixed and volumes are deleted and updated as expected.
5.18.5 (2021-01-29)
Bug fixes
The root volume encryption check in
AWS > EC2 > Instance > Approved
control would incorrectly showInvalid
if there was no root volume attached to the instance. This is fixed and it will now show up asApproved
.The
AWS > EC2 > Target Group > CMDB
control would sometimes go into an error state showing aValidation Error
if a load balancer was deleted since we'd move the attached target group under an incorrect parent. This is now fixed.The
AWS > EC2 > Instance > Approved
control will now wait a few minutes before going into theinvalid
state if the instance's root volume is not in CMDB yet (root volume information is required for theAWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
check). This will help avoid unnecessaryTBD
->Invalid
->OK
state change sequences for new instances, as the instance may be created in CMDB before its root volume is due to event handling order.
5.18.4 (2021-01-18)
Bug fixes
- The
AWS > EC2 > Snapshot > Discovery
control now moves intoalarm
if there are more than 100k snapshots in a region (we still limit the control to upserting only 100k in a single run).
5.18.3 (2021-01-14)
Bug fixes
- The
AWS > EC2 > Snapshot > Discovery
control's lambda function's timeout has been increased from 5 minutes to 15 minutes to better handle upserting a large number of snapshots. This control will also now limit resource data to required fields and only upsert up to 100,000 snapshots in a single run in order to avoid payload size errors. If you have a use case that exceeds this limit, please contact support.
5.18.2 (2020-12-29)
Bug fixes
- The
AWS > EC2 > Snapshot > Discovery
control's lambda function's memory has been increased from 512 MB to 2048 MB to better handle upserting a large number of snapshots. - We've improved the
AWS > EC2 > Volume > Discovery
control to run faster and lighter when discovering volumes for newly created instances. You won't notice any difference, but the control is better than it was before.
5.18.1 (2020-12-24)
Bug fixes
Sometimes when multiple instances were terminated in an
ec2:TerminateInstances
event, not all of the instances' attached volumes would be cleaned up properly in CMDB. This has been fixed.We also fixed a bug that would sometimes cause only the first instance in an
ec2:RunInstances
event to be created in CMDB.
5.18.0 (2020-12-21)
What's new?
- The
AWS > EC2 > Instance > Approved
control can now check if an instance is approved or not based on the AMI which was used to launch it. To enable this approved check, please set theAWS > EC2 > Instance > Approved > Image
policy.
Bug fixes
- The
AWS > EC2 > Instance > Detailed Monitoring
control would incorrectly go to anInvalid
state if theAWS > EC2 > Instance > Detailed Monitoring
policy was set toSkip
. This has now been fixed and theAWS > EC2 > Instance > Detailed Monitoring
control will now correctly be in skipped state if its policy value is set toSkip
.
Policy Types
Added
- AWS > EC2 > Instance > Approved > Image
- AWS > EC2 > Instance > Approved > Image > AMI IDs
- AWS > EC2 > Instance > Approved > Image > Publishers
5.17.5 (2020-12-14)
Bug fixes
- The
AWS > EC2 > Instance > CMDB
control would sometimes go into an error state if no network interfaces were attached to the instance. This is now fixed.
5.17.4 (2020-12-07)
Bug fixes
We've optimized the GraphQL queries for various controls when they're in the
tbd
andskipped
states. You won't notice any difference but they should run a lot lighter now.We've updated various resources' Discovery and CMDB controls to ensure array properties are consistently sorted in the CMDB.
We've removed the
AWS > EC2 > Instance > Active > Attached
policy which was added incorrectly. There will be no impact on theAWS > EC2 > Instance > Active
control which would work smoothly as before.
Policy Types
Removed
- AWS > EC2 > Instance > Active > Attached
5.17.3 (2020-11-16)
Bug fixes
- We've fixed an issue that resulted in the
AWS > EC2 > Instance > Discovery
control never upserting any instances, even if there were some present in the region.
5.17.2 (2020-11-16)
Bug fixes
- Whenever classic load balancers were created, we failed to upsert them automatically in our CMDB. This issue has now been fixed.
5.17.1 (2020-11-06)
Bug fixes
- Our real-time event handling for tag updates of EC2 resources will now be smoother, and the tags will be sorted consistently across the EC2 Discovery and CMDB controls.
5.17.0 (2020-11-03)
Bug fixes
- We have made some improvements to our real-time event handling for EC2 resource tag updates. You won't notice a difference, but updates should run faster and smoother.
Resource Types
Added
- AWS > EC2 > Classic Load Balancer Listener
Control Types
Added
- AWS > EC2 > Classic Load Balancer Listener > Active
- AWS > EC2 > Classic Load Balancer Listener > Approved
- AWS > EC2 > Classic Load Balancer Listener > CMDB
- AWS > EC2 > Classic Load Balancer Listener > Discovery
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy
- AWS > EC2 > Classic Load Balancer Listener > Usage
Policy Types
Added
- AWS > EC2 > Classic Load Balancer Listener > Active
- AWS > EC2 > Classic Load Balancer Listener > Active > Age
- AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Classic Load Balancer Listener > Approved
- AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
- AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
- AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
- AWS > EC2 > Classic Load Balancer Listener > CMDB
- AWS > EC2 > Classic Load Balancer Listener > Regions
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
- AWS > EC2 > Classic Load Balancer Listener > Usage
- AWS > EC2 > Classic Load Balancer Listener > Usage > Limit
- AWS > EC2 > Load Balancer Listener > Approved > Ports
- AWS > EC2 > Load Balancer Listener > Approved > Protocols
Action Types
Added
- AWS > EC2 > Classic Load Balancer Listener > Delete
- AWS > EC2 > Classic Load Balancer Listener > Router
- AWS > EC2 > Classic Load Balancer Listener > Update SSL Policy
5.16.2 (2020-10-28)
Bug fixes
- The
AWS > EC2 > Instance > Discovery
control will no longer upsert instances that are in theshutting-down
orterminated
states, as these instances are not useful to track in CMDB. - Whenever network load balancers were created we did not upsert them automatically into our CMDB. This issue has now been fixed.
- The
AWS > EC2 > Instance > CMDB
control will now re-trigger after 1 minute instead of 5 if the instance is in thepending
,shutting-down
orstopping
state. This will enable all the dependent controls and policies to be updated much faster.
5.16.1 (2020-10-19)
Bug fixes
- After an instance was deleted, we'd fail to delete its root volume from CMDB sometimes and create noisy error notifications. This has been fixed and root volumes are cleaned up properly now.
- The
AWS > EC2 > Instance > CMDB
control was continuously running every 5 minutes if the instance was in arunning
state. This is now fixed and theAWS > EC2 > Instance > CMDB
control will only run when required.
5.16.0 (2020-10-13)
Bug fixes
- We've fixed an invalid GraphQL input for the
AWS > EC2 > Target Group > Discovery
control which caused it to remain in an error state. - We failed to upsert AMIs into CMDB when they were created by copying existing AMIs from different regions. This issue has now been fixed.
Control Types
Added
- AWS > EC2 > Load Balancer Listener > SSL Policy
Policy Types
Added
- AWS > EC2 > Load Balancer Listener > SSL Policy
- AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Load Balancer Listener > SSL Policy > Default
Action Types
Added
- AWS > EC2 > Load Balancer Listener > Update SSL Policy
5.15.0 (2020-10-06)
What's new?
- The
AWS > EC2 > Volume > Active
control can now check if a volume is attached to any resource or not. To enable this active check, please set theAWS > EC2 > Volume > Active > Attached
policy.
Policy Types
Added
- AWS > EC2 > Volume > Active > Attached
5.14.1 (2020-09-29)
Bug fixes
- We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.
5.14.0 (2020-09-03)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery
, to allow for easier filtering separately from other CMDB controls. - We've renamed the service's default regions policy from
Regions [Default]
toRegions
to be consistent with our other regions policies.
Bug fixes
- The
AWS > ECS > Auto-Scaling Group > Router
action was incorrectly attempting to handleec2:CreateTags
events, which would result in multiple error notifications from the action. This has been fixed.
5.13.0 (2020-08-18)
Control Types
Added
- AWS > EC2 > Instance > Detailed Monitoring
- AWS > EC2 > Instance > Termination Protection
Policy Types
Added
- AWS > EC2 > Instance > Detailed Monitoring
- AWS > EC2 > Instance > Termination Protection
Action Types
Added
- AWS > EC2 > Instance > Update Detailed Monitoring
- AWS > EC2 > Instance > Update Termination Protection
5.12.2 (2020-08-18)
Bug fixes
- After an EC2 instance was terminated, if its attached network interfaces were also deleted at the same time, these deleted network interfaces were not correctly removed from CMDB. This issue has now been fixed.
5.12.1 (2020-08-14)
Bug fixes
Minor improvements were made to the
AWS > EC2 > Instance > Schedule
control to make sure that you can start or stop your instances effectively without any errorsRoot volumes can no longer be deleted by
AWS > EC2 > Volume > Approved
orAWS > EC2 > Volume > Active
control when they are attached to instances which are instopped
state. This will make sure that the instances on rebooting do not go into an error state due to the unavailability of attached root volumes.In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
Policy Types
Renamed
- AWS > EC2 > Instance > Schedule > Tag to AWS > EC2 > Instance > Schedule Tag
5.12.0 (2020-07-29)
What's new?
AWS/EC2/Admin
now includes reserved instances, product instances and FPGA image management permissions.Cross-account trust is important for complex enterprise and application scenarios, but is also a critical area for security controls. We now support controlling cross-account access for AMIs and snapshots to provide automatic protection against unexpected cross-account access.
A common set of trusted AWS account IDs can be defined in the
AWS > Account > Trusted Accounts [Default]
policy. Trusted accounts can also be defined at any level, even down to the specific AMI or snapshot resource.To get started with these new controls, please see the
AWS > EC2 > AMI > Trusted Access
andAWS > EC2 > Snapshot> Trusted Access
policies.
Control Types
Added
- AWS > EC2 > AMI > Trusted Access
- AWS > EC2 > Snapshot > Trusted Access
Policy Types
Added
- AWS > EC2 > AMI > Trusted Access
- AWS > EC2 > AMI > Trusted Access > Accounts
- AWS > EC2 > Snapshot > Trusted Access
- AWS > EC2 > Snapshot > Trusted Access > Accounts
- AWS > EC2 > Trusted Accounts [Default]
Action Types
Added
- AWS > EC2 > AMI > Set Trusted Access
- AWS > EC2 > Snapshot > Set Trusted Access
5.11.0 (2020-07-16)
What's new?
- Target group attachment resources can now be created by the
AWS > Account > Stack
orAWS > Region > Stack
controls. For more information on creating these resource types through Terraform, please see the Terraform resource page.
5.10.2 (2020-07-01)
Bug fixes
- Sometimes when updating CMDB for resources with tags that have empty string values, e.g.,
[{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}]
, we would not store all of the tags correctly. This has been fixed and now all tags are accounted for. - When determining the creation time of an instance, we were incorrectly using its
LaunchTime
property, which would update whenever an instance was stopped and then started again. Instead we now use the attachment time of its primary network interface, as the primary network interface cannot be detached, so the creation time will be more accurate and remain consistent throughout an instance's lifecycle.
5.10.1 (2020-06-26)
Bug fixes
- Real-time events for key pairs were not being handled properly, resulting in outdated key pair CMDB information. This issue has been fixed.
- In
aws-ec2 (5.9.0)
, we added an ARN using the key pair ID as another AKA to the key pair resource type. This change would sometimes cause theAWS > EC2 > Key Pair > Discovery
control to error out when attempting to update existing key pairs with the new AKA. This issue has been fixed.
5.10.0 (2020-06-26)
What's new?
- The
AWS > EC2 > Instance > Approved
control can now stop unapproved instances (previously only deleting them was available). This feature can be used to either stop all unapproved instances or just those that have been newly created by setting theAWS > EC2 > Instance > Approved
policy toEnforce: Stop unapproved
orEnforce: Stop unapproved if new
respectively.
5.9.0 (2020-06-19)
What's new?
- We've added another AKA to key pairs, which is an ARN with the key pair ID as the unique identifier, e.g.,
arn:aws:ec2:us-east-1:123456789012:key-pair/key-012345abc
. Previously, we only supported an ARN that used the key pair name, but now we store both formats.
Control Types
Added
- AWS > EC2 > Key Pair > Tags
Policy Types
Added
- AWS > EC2 > Key Pair > Tags
- AWS > EC2 > Key Pair > Tags > Template
Action Types
Added
- AWS > EC2 > Key Pair > Update Tags
5.8.0 (2020-06-19)
What's new?
Access logging can now be configured for all load balancer types through their respective
Access Logging
controls. Access logs capture detailed information about requests sent to the load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.All the certificates added to the certificate list of a load balancer listener will now be available in the
Certificates
property.Information pertaining to the health of a target group is now available in the
TargetHealthDescriptions
property.CMDB of a target group will be updated automatically whenever targets like instance IDs, IP addresses, or Lambda functions are registered or deregistered.
Bug fixes
- Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.
Control Types
Added
- AWS > EC2 > Application Load Balancer > Access Logging
- AWS > EC2 > Classic Load Balancer > Access Logging
- AWS > EC2 > Network Load Balancer > Access Logging
Policy Types
Added
- AWS > EC2 > Application Load Balancer > Access Logging
- AWS > EC2 > Application Load Balancer > Access Logging > Bucket
- AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Classic Load Balancer > Access Logging
- AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
- AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Network Load Balancer > Access Logging
- AWS > EC2 > Network Load Balancer > Access Logging > Bucket
- AWS > EC2 > Network Load Balancer > Access Logging > Key Prefix
Action Types
Added
- AWS > EC2 > Application Load Balancer > Update Access Logging
- AWS > EC2 > Classic Load Balancer > Update Access Logging
- AWS > EC2 > Network Load Balancer > Update Access Logging
5.7.0 (2020-06-16)
Control Types
Added
- AWS > EC2 > Application Load Balancer > Configured
- AWS > EC2 > Classic Load Balancer > Configured
- AWS > EC2 > Network Load Balancer > Configured
- AWS > EC2 > Target Group > Configured
Policy Types
Added
- AWS > EC2 > Application Load Balancer > Configured
- AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Application Load Balancer > Configured > Source
- AWS > EC2 > Classic Load Balancer > Configured
- AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Classic Load Balancer > Configured > Source
- AWS > EC2 > Network Load Balancer > Configured
- AWS > EC2 > Network Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Network Load Balancer > Configured > Source
- AWS > EC2 > Target Group > Configured
- AWS > EC2 > Target Group > Configured > Claim Precedence
- AWS > EC2 > Target Group > Configured > Source
5.6.0 (2020-06-16)
Control Types
Added
- AWS > EC2 > Instance > Metadata Service
Policy Types
Added
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > Customer Managed Key
- AWS > EC2 > Instance > Metadata Service
- AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit
Action Types
Added
- AWS > EC2 > Instance > Update Metadata Service
5.5.2 (2020-06-09)
Bug fixes
- After terminating an instance, if its root volume was also deleted due to the instance's
DeleteOnTermination
property being set totrue
, Turbot would not correctly delete the root volume from CMDB. This issue has been fixed. - After launching a new instance, its root volume would not automatically be created in the CMDB. This has been fixed.
5.5.1 (2020-05-26)
Bug fixes
- After stopping or starting an instance, the CMDB was not updated automatically to reflect the new state. This has been fixed.
- When load balancers were created on an AWS console, Turbot upserted invalid load balancers with malformed aka into the CMDB. This issue has been fixed and now the desired load balancers are upserted smoothly with correct akas.
- Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.
5.5.0 (2020-05-07)
Resource Types
Added
- AWS > EC2 > Listener Rule
- AWS > EC2 > Load Balancer Listener
Control Types
Added
- AWS > EC2 > AMI > Configured
- AWS > EC2 > Instance > Configured
- AWS > EC2 > Listener Rule > Active
- AWS > EC2 > Listener Rule > Approved
- AWS > EC2 > Listener Rule > CMDB
- AWS > EC2 > Listener Rule > Configured
- AWS > EC2 > Listener Rule > Discovery
- AWS > EC2 > Listener Rule > Usage
- AWS > EC2 > Load Balancer Listener > Active
- AWS > EC2 > Load Balancer Listener > Approved
- AWS > EC2 > Load Balancer Listener > CMDB
- AWS > EC2 > Load Balancer Listener > Configured
- AWS > EC2 > Load Balancer Listener > Discovery
- AWS > EC2 > Load Balancer Listener > Usage
- AWS > EC2 > Network Interface > Configured
- AWS > EC2 > Snapshot > Configured
- AWS > EC2 > Volume > Configured
Policy Types
Added
- AWS > EC2 > AMI > Configured
- AWS > EC2 > AMI > Configured > Claim Precedence
- AWS > EC2 > AMI > Configured > Source
- AWS > EC2 > Instance > Configured
- AWS > EC2 > Instance > Configured > Claim Precedence
- AWS > EC2 > Instance > Configured > Source
- AWS > EC2 > Listener Rule > Active
- AWS > EC2 > Listener Rule > Active > Age
- AWS > EC2 > Listener Rule > Active > Budget
- AWS > EC2 > Listener Rule > Active > Last Modified
- AWS > EC2 > Listener Rule > Approved
- AWS > EC2 > Listener Rule > Approved > Budget
- AWS > EC2 > Listener Rule > Approved > Regions
- AWS > EC2 > Listener Rule > Approved > Usage
- AWS > EC2 > Listener Rule > CMDB
- AWS > EC2 > Listener Rule > Configured
- AWS > EC2 > Listener Rule > Configured > Claim Precedence
- AWS > EC2 > Listener Rule > Configured > Source
- AWS > EC2 > Listener Rule > Regions
- AWS > EC2 > Listener Rule > Usage
- AWS > EC2 > Listener Rule > Usage > Limit
- AWS > EC2 > Load Balancer Listener > Active
- AWS > EC2 > Load Balancer Listener > Active > Age
- AWS > EC2 > Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Load Balancer Listener > Approved
- AWS > EC2 > Load Balancer Listener > Approved > Regions
- AWS > EC2 > Load Balancer Listener > Approved > Usage
- AWS > EC2 > Load Balancer Listener > CMDB
- AWS > EC2 > Load Balancer Listener > Configured
- AWS > EC2 > Load Balancer Listener > Configured > Claim Precedence
- AWS > EC2 > Load Balancer Listener > Configured > Source
- AWS > EC2 > Load Balancer Listener > Regions
- AWS > EC2 > Load Balancer Listener > Usage
- AWS > EC2 > Load Balancer Listener > Usage > Limit
- AWS > EC2 > Network Interface > Configured
- AWS > EC2 > Network Interface > Configured > Claim Precedence
- AWS > EC2 > Network Interface > Configured > Source
- AWS > EC2 > Snapshot > Configured
- AWS > EC2 > Snapshot > Configured > Claim Precedence
- AWS > EC2 > Snapshot > Configured > Source
- AWS > EC2 > Volume > Configured
- AWS > EC2 > Volume > Configured > Claim Precedence
- AWS > EC2 > Volume > Configured > Source
Action Types
Added
- AWS > EC2 > Listener Rule > Delete
- AWS > EC2 > Listener Rule > Router
- AWS > EC2 > Load Balancer Listener > Delete
- AWS > EC2 > Load Balancer Listener > Router