@turbot/aws-ec2

The aws-ec2 mod contains resource, control and policy definitions for AWS EC2 service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for EC2:

PermissionGrant LevelHelp
acm:ListCertificatesMetadataRequired for ELB launches.
application-autoscaling:DeleteScalingPolicyAdminAdmins can change the autoscaling process.
application-autoscaling:DeleteScheduledActionAdmin
application-autoscaling:DeregisterScalableTargetOperator
application-autoscaling:DescribeScalableTargetsMetadata
application-autoscaling:DescribeScalingActivitiesMetadata
application-autoscaling:DescribeScalingPoliciesMetadata
application-autoscaling:DescribeScheduledActionsMetadata
application-autoscaling:PutScalingPolicyAdminAdmins can change the autoscaling process.
application-autoscaling:PutScheduledActionAdmin
application-autoscaling:RegisterScalableTargetOperator
autoscaling-plans:CreateScalingPlanAdmin
autoscaling-plans:DeleteScalingPlanAdmin
autoscaling-plans:DescribeScalingPlanResourcesMetadata
autoscaling-plans:DescribeScalingPlansMetadata
autoscaling-plans:GetScalingPlanResourceForecastDataMetadata
autoscaling-plans:UpdateScalingPlanOperator
autoscaling:AttachInstancesOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:AttachLoadBalancerTargetGroupsOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:AttachLoadBalancersOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:BatchDeleteScheduledActionWhitelistAdmins can change the autoscaling process.
autoscaling:BatchPutScheduledUpdateGroupActionWhitelistAdmins can change the autoscaling process.
autoscaling:CancelInstanceRefreshWhitelist
autoscaling:CompleteLifecycleActionOperatorAllows custom steps in the autoscaling lifecycle process
autoscaling:CreateAutoScalingGroupWhitelist
autoscaling:CreateLaunchConfigurationWhitelist
autoscaling:CreateOrUpdateScalingTriggerWhitelist
autoscaling:CreateOrUpdateTagsOperator
autoscaling:CreateScalingPlanWhitelistAdmins can create autoscaling plan.
autoscaling:DeleteAutoScalingGroupWhitelist
autoscaling:DeleteLaunchConfigurationWhitelist
autoscaling:DeleteLifecycleHookWhitelistAdmins can change the autoscaling process.
autoscaling:DeleteNotificationConfigurationOperatorOperators can control monitoring & notification of the autoscaling group.
autoscaling:DeletePolicyWhitelistAdmins can change the autoscaling process.
autoscaling:DeleteScalingPlanWhitelistAdmins can delete autoscaling plan.
autoscaling:DeleteScheduledActionWhitelistAdmins can change the autoscaling process.
autoscaling:DeleteTagsOperator
autoscaling:DeleteTriggerWhitelist
autoscaling:DeleteWarmPoolAdmin
autoscaling:DescribeAccountLimitsMetadata
autoscaling:DescribeAdjustmentTypesMetadata
autoscaling:DescribeAutoScalingGroupsMetadata
autoscaling:DescribeAutoScalingInstancesMetadata
autoscaling:DescribeAutoScalingNotificationTypesMetadata
autoscaling:DescribeInstanceRefreshesMetadata
autoscaling:DescribeLaunchConfigurationsMetadata
autoscaling:DescribeLifecycleHookTypesMetadata
autoscaling:DescribeLifecycleHooksMetadata
autoscaling:DescribeLoadBalancerTargetGroupsMetadata
autoscaling:DescribeLoadBalancersMetadata
autoscaling:DescribeMetricCollectionTypesMetadata
autoscaling:DescribeNotificationConfigurationsMetadata
autoscaling:DescribePoliciesMetadata
autoscaling:DescribeScalingActivitiesMetadata
autoscaling:DescribeScalingPlanResourcesMetadataDescribes the scalable resources in the specified scaling plan.
autoscaling:DescribeScalingPlansMetadataDescribes the specified scaling plans or all of your scaling plans.
autoscaling:DescribeScalingProcessTypesMetadata
autoscaling:DescribeScheduledActionsMetadata
autoscaling:DescribeTagsMetadata
autoscaling:DescribeTerminationPolicyTypesMetadata
autoscaling:DescribeTriggersMetadata
autoscaling:DescribeWarmPoolMetadata
autoscaling:DetachInstancesOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:DetachLoadBalancerTargetGroupsOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:DetachLoadBalancersOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:DisableMetricsCollectionOperatorOperators can control monitoring & notification of the autoscaling group.
autoscaling:EnableMetricsCollectionOperatorOperators can control monitoring & notification of the autoscaling group.
autoscaling:EnterStandbyOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:ExecutePolicyOperatorOperators can execute a policy that was defined by an Admin.
autoscaling:ExitStandbyOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:PutLifecycleHookWhitelistAdmins can change the autoscaling process.
autoscaling:PutNotificationConfigurationOperatorOperators can control monitoring & notification of the autoscaling group.
autoscaling:PutScalingPolicyWhitelistAdmins can change the autoscaling process.
autoscaling:PutScheduledUpdateGroupActionWhitelistAdmins can change the autoscaling process.
autoscaling:PutWarmPoolAdmin
autoscaling:RecordLifecycleActionHeartbeatOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:ResumeProcessesOperator
autoscaling:SetDesiredCapacityWhitelist
autoscaling:SetInstanceHealthOperator
autoscaling:SetInstanceProtectionOperatorOperators can manage instances in an autoscaling group but not change its config.
autoscaling:StartInstanceRefreshWhitelist
autoscaling:SuspendProcessesOperator
autoscaling:TerminateInstanceInAutoScalingGroupOperator
autoscaling:UpdateAutoScalingGroupWhitelist
aws-marketplace:BatchMeterUsageAdminAdministrators may report software usage.
aws-marketplace:GetEntitlementsMetadataViewing entitlement of a customer to a given product. http://docs.aws.amazon.com/marketplaceentitlement/latest/APIReference/Welcome.html.
aws-marketplace:MeterUsageAdminAdministrators may report software usage.
aws-marketplace:ResolveCustomerAdminUsed by SaaS application and returns customer identifier and product code based on registration token.
aws-marketplace:SubscribeWhitelistAdministrators may subscribe to marketplace software
aws-marketplace:UnsubscribeWhitelistAdministrators may subscribe to marketplace software
aws-marketplace:ViewSubscriptionsMetadataViewing marketplace subscriptions is required for server management if the marketplace is used.
cloudwatch:DescribeAlarmHistoryMetadataFor console access per EC2 ReadOnly policy
cloudwatch:DescribeAlarmsMetadataFor console access per EC2 ReadOnly policy
cloudwatch:DescribeAlarmsForMetricMetadataFor console access per EC2 ReadOnly policy
cloudwatch:GetMetricDataMetadataThis allows GetMetricData API to retrieve as many as metrics data and to perform mathematical expressions on this data.
cloudwatch:GetMetricStatisticsMetadataFor console access per EC2 ReadOnly policy
cloudwatch:ListMetricsMetadataFor console access per EC2 ReadOnly policy
ec2-reports:ViewInstanceUsageReportMetadataObscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports
ec2-reports:ViewReservedInstanceUtilizationReportMetadataObscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports
ec2:AcceptReservedInstancesExchangeQuoteAdminAccounts can manage their own reserved instances (but cannot resell them).
ec2:AllocateAddressAdminAdmins can allocate new elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access.
ec2:AllocateHostsAdmin
ec2:AssignIpv6AddressesAdminPrivate IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:AssignPrivateIpAddressesAdminPrivate IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:AssociateAddressAdminAdmins can associate elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access.
ec2:AssociateEnclaveCertificateIamRoleAdmin
ec2:AssociateIamInstanceProfileAdminAdmins manage IAM instance profile associations for existing instances.
ec2:AssociateInstanceEventWindowAdmin
ec2:AssociateTrunkInterfaceAdmin
ec2:AttachNetworkInterfaceAdminNetwork interfaces can be safely used by the account inside the VPC context.
ec2:AttachVolumeAdmin
ec2:BidEvictedEventAdminAdmins can update or terminate spot instances.
ec2:BundleInstanceWhitelistOptional VM export
ec2:CancelBundleTaskWhitelistOptional VM export
ec2:CancelCapacityReservationAdmin
ec2:CancelCapacityReservationFleetsAdmin
ec2:CancelConversionTaskWhitelistOptional VM export
ec2:CancelExportTaskWhitelistOptional VM export
ec2:CancelImportTaskWhitelistOptional VM import
ec2:CancelReservedInstancesListingAdminReserved instance reselling is at the cluster level.
ec2:CancelSpotFleetRequestsAdmin
ec2:CancelSpotInstanceRequestsAdminAccounts can safely use spot instances within their VPC.
ec2:ConfirmProductInstanceAdminOnly relevant to AMI marketplace sellers.
ec2:CopyFpgaImageAdminCopies the specified Amazon FPGA Image (AFI) to the current region.
ec2:CopyImageWhitelistOptional image management. Copies image between regions not across accounts
ec2:CopySnapshotOperatorLow risk operation to copy data within the same account.
ec2:CreateCapacityReservationAdmin
ec2:CreateCapacityReservationFleetAdmin
ec2:CreateFleetAdmin
ec2:CreateFpgaImageWhitelistOptional FPGA image management. https://aws.amazon.com/ec2/instance-types/f1/
ec2:CreateImageWhitelistOptional image management. Creates a new AMI from an instance in the account.
ec2:CreateInstanceExportTaskWhitelistOptional VM export.
ec2:CreateInstanceEventWindowAdmin
ec2:CreateKeyPairAdminAdministrators use key pairs when starting new instances. This should be moved to an option in the future when Turbot supports non-key pair based login.
ec2:CreateLaunchTemplateAdmin
ec2:CreateLaunchTemplateVersionAdmin
ec2:CreateManagedPrefixListAdmin
ec2:CreateNetworkInterfacePermissionAdmin
ec2:CreateNetworkInterfaceAdminNetwork interfaces can be safely used by the account inside the VPC context.
ec2:CreatePlacementGroupAdminServers can be safely placed within cluster managed networks.
ec2:CreateReplaceRootVolumeTaskAdmin
ec2:CreateReservedInstancesListingAdminReserved instance reselling is at the cluster level.
ec2:CreateRestoreImageTaskAdmin
ec2:CreateSnapshotOperatorLow risk operation to backup data within the same account.
ec2:CreateSnapshotsOperatorLow risk operation to backup data within the same account.
ec2:CreateSpotDatafeedSubscriptionAdminAccounts can safely use spot instances within their VPC.
ec2:CreateStoreImageTaskAdmin
ec2:CreateTagsOperatorTags are low risk for management in Turbot since accounts are the isolation boundary; not tags.
ec2:CreateVolumeAdminStorage management is safe within the account.
ec2:DeleteFleetsAdmin
ec2:DeleteFpgaImageAdminDeletes the specified Amazon FPGA Image.
ec2:DeleteInstanceEventWindowAdmin
ec2:DeleteKeyPairAdmin
ec2:DeleteLaunchTemplateAdmin
ec2:DeleteLaunchTemplateVersionsAdmin
ec2:DeleteManagedPrefixListAdmin
ec2:DeleteNetworkInterfaceAdminNetwork interfaces can be safely used by the account inside the VPC context.
ec2:DeleteNetworkInterfacePermissionAdmin
ec2:DeletePlacementGroupAdmin
ec2:DeleteSnapshotAdminDeletion of snapshots is limited to Admin though creation is open to Operator.
ec2:DeleteSpotDatafeedSubscriptionAdmin
ec2:DeleteTagsOperatorTags are low risk for management in Turbot since accounts are the isolation boundary; not tags. Most deletions are denied to operator but tags are a low risk management activity even for deletion.
ec2:DeleteQueuedReservedInstancesAdmin
ec2:DeleteVolumeAdmin
ec2:DeregisterImageWhitelistOptional image management. Deregisters an image preventing further launches
ec2:DeregisterInstanceEventNotificationAttributesAdmin
ec2:DescribeAccountAttributesMetadata
ec2:DescribeAddressesMetadata
ec2:DescribeAddressesAttributeMetadata
ec2:DescribeAvailabilityZonesMetadata
ec2:DescribeBundleTasksMetadata
ec2:DescribeCapacityReservationsMetadata
ec2:DescribeCapacityReservationFleetsMetadata
ec2:DescribeCarrierGatewaysMetadata
ec2:DescribeClassicLinkInstancesMetadata
ec2:DescribeConversionTasksMetadata
ec2:DescribeElasticGpusMetadata
ec2:DescribeExportImageTasksMetadata
ec2:DescribeExportTasksMetadata
ec2:DescribeFastSnapshotRestoresMetadata
ec2:DescribeFleetHistoryMetadata
ec2:DescribeFleetInstancesMetadata
ec2:DescribeFleetsMetadata
ec2:DescribeFpgaImageAttributeMetadataDescribes the specified attribute of the specified Amazon FPGA Image.
ec2:DescribeFpgaImagesMetadata
ec2:DescribeHostReservationOfferingsMetadata
ec2:DescribeHostReservationsMetadata
ec2:DescribeHostsMetadata
ec2:DescribeIamInstanceProfileAssociationsMetadata
ec2:DescribeIdFormatMetadata
ec2:DescribeIdentityIdFormatMetadata
ec2:DescribeImageAttributeMetadata
ec2:DescribeImagesMetadata
ec2:DescribeImportImageTasksMetadata
ec2:DescribeImportSnapshotTasksMetadata
ec2:DescribeInstanceAttributeMetadata
ec2:DescribeInstanceCreditSpecificationsMetadata
ec2:DescribeInstanceEventNotificationAttributesMetadata
ec2:DescribeInstanceEventWindowsMetadata
ec2:DescribeInstanceStatusMetadata
ec2:DescribeInstancesMetadata
ec2:DescribeInstanceTypeOfferingsMetadata
ec2:DescribeInstanceTypesMetadata
ec2:DescribeKeyPairsMetadata
ec2:DescribeLaunchTemplateVersionsMetadata
ec2:DescribeLaunchTemplatesMetadata
ec2:DescribeLicensesMetadataNote: Not currently in use by AWS - http://aws.amazon.com/blogs/aws/bring_your_own_ea_windows_server_license_to_ec2/
ec2:DescribeMovingAddressesMetadata
ec2:DescribeNetworkInterfaceAttributeMetadata
ec2:DescribeNetworkInterfacePermissionsMetadataDescribes the permissions of network interfaces.
ec2:DescribeNetworkInterfacesMetadata
ec2:DescribePlacementGroupsMetadata
ec2:DescribePublicIpv4PoolsMetadata
ec2:DescribeIpv6PoolsMetadata
ec2:DescribeReplaceRootVolumeTasksMetadata
ec2:DescribeRegionsMetadata
ec2:DescribeReservedInstancesMetadata
ec2:DescribeReservedInstancesListingsMetadata
ec2:DescribeReservedInstancesModificationsMetadata
ec2:DescribeReservedInstancesOfferingsMetadata
ec2:DescribeReplaceRootVolumeTasksMetadata
ec2:DescribeScheduledInstanceAvailabilityMetadata
ec2:DescribeScheduledInstancesMetadata
ec2:DescribeSecurityGroupReferencesMetadata
ec2:DescribeSecurityGroupsMetadata
ec2:DescribeSnapshotAttributeMetadata
ec2:DescribeSnapshotTierStatusMetadata
ec2:DescribeSnapshotsMetadata
ec2:DescribeSpotDatafeedSubscriptionMetadata
ec2:DescribeSpotFleetInstancesMetadata
ec2:DescribeSpotFleetRequestHistoryMetadata
ec2:DescribeSpotFleetRequestsMetadata
ec2:DescribeSpotInstanceRequestsMetadata
ec2:DescribeSpotPriceHistoryMetadata
ec2:DescribeStaleSecurityGroupsMetadata
ec2:DescribeStoreImageTasksMetadata
ec2:DescribeTagsMetadata
ec2:DescribeVolumeAttributeMetadata
ec2:DescribeVolumeStatusMetadata
ec2:DescribeVolumesMetadata
ec2:DescribeVolumesModificationsMetadata
ec2:DetachClassicLinkVpcAdmin
ec2:DetachNetworkInterfaceAdminNetwork interfaces can be safely used by the account inside the VPC context.
ec2:DetachVolumeAdmin
ec2:DisableEbsEncryptionByDefaultAdminAdmins can disable EBS Encryption by Default.
ec2:DisableFastSnapshotRestoresAdmin
ec2:DisableImageDeprecationAdmin
ec2:DisableSerialConsoleAccessAdmin
ec2:DisassociateAddressAdminAdmins can disassociate elastic IP addresses.
ec2:DisassociateEnclaveCertificateIamRoleAdmin
ec2:DisassociateIamInstanceProfileAdminAdmins manage IAM instance profile associations for existing instances.
ec2:DisassociateInstanceEventWindowAdmin
ec2:DisassociateTrunkInterfaceAdmin
ec2:EnableFastSnapshotRestoresAdmin
ec2:EnableImageDeprecationAdmin
ec2:EnableSerialConsoleAccessAdmin
ec2:EnableEbsEncryptionByDefaultAdminAdmins can enable EBS Encryption by Default.
ec2:EnableVolumeIOAdmin
ec2:ExportImageOperator
ec2:GetAssociatedEnclaveCertificateIamRolesMetadata
ec2:GetCapacityReservationUsageMetadata
ec2:GetConsoleOutputMetadataAllows viewing of console data from machines; helpful for monitoring & investigating system during bootup. Considered to be metadata not ReadOnly since systems should not be logging sensitive information and it's a key part of troubleshooting before needing access to the actual machine (which would obviously be at least ReadOnly).
ec2:GetConsoleScreenshotMetadataAllows viewing of on-demand screenshot of instance console for machines which is helpful for monitoring & investigating systems when they become unreachable via RDS and SSH. Considered to be metadata and not ReadOnly since it's a key part of troubleshooting when the instance is unreachable.
ec2:GetDefaultCreditSpecificationMetadata
ec2:GetEbsDefaultKmsKeyIdMetadata
ec2:GetEbsEncryptionByDefaultMetadata
ec2:GetGroupsForCapacityReservationMetadata
ec2:GetHostReservationPurchasePreviewMetadataAllows preview of host reservation purchase but does not result in offering being purchased.
ec2:GetInstanceTypesFromInstanceRequirementsMetadata
ec2:GetLaunchTemplateDataMetadataLaunch template data contains metadata about the EC2 instance.
ec2:GetPasswordDataAdminRequired for launch of Windows machines and used with key pairs.
ec2:GetReservedInstancesExchangeQuoteMetadata
ec2:GetSerialConsoleAccessStatusMetadata
ec2:GetSpotPlacementScoresMetadata
ec2:ImportImageWhitelistOptional VM import
ec2:ImportInstanceWhitelistOptional VM import
ec2:ImportKeyPairAdminAdministrators use key pairs when starting new instances. This should be moved to an option in the future when Turbot supports non-key pair based login.
ec2:ImportSnapshotWhitelistOptional VM import
ec2:ImportVolumeWhitelistOptional VM import
ec2:ListSnapshotsInRecycleBinMetadata
ec2:ModifyAvailabilityZoneGroupAdmin
ec2:ModifyCapacityReservationAdmin
ec2:ModifyCapacityReservationFleetAdmin
ec2:ModifyDefaultCreditSpecificationAdmin
ec2:ModifyEbsDefaultKmsKeyIdAdminAdmins can update default KMS key for EBS Encryption by Default.
ec2:ModifyFleetAdmin
ec2:ModifyFpgaImageAttributeAdminModifies the specified attributes(description
ec2:ModifyHostsAdmin
ec2:ModifyIdFormatAdmin
ec2:ModifyIdentityIdFormatAdmin
ec2:ModifyInstanceEventWindowAdmin
ec2:ModifyImageAttributeWhitelistOptional image attribute management
ec2:ModifyInstanceAttributeAdminAccounts can manage their own instances.
ec2:ModifyInstanceCapacityReservationAttributesAdmin
ec2:ModifyInstanceCreditSpecificationAdmin
ec2:ModifyInstanceEventStartTimeAdmin
ec2:ModifyInstanceMetadataOptionsAdmin
ec2:ModifyInstancePlacementAdmin
ec2:ModifyLaunchTemplateAdmin
ec2:ModifyNetworkInterfaceAttributeAdminNetwork interfaces can be safely used by the account inside the VPC context.
ec2:ModifyReservedInstancesAdminAccounts can manage their own reserved instances (but cannot resell them).
ec2:ModifySnapshotTierAdmin
ec2:ModifySnapshotAttributeAdminAllows for cross-account access.
ec2:ModifySpotFleetRequestAdmin
ec2:ModifyVolumeAdminWithin account storage performance changes.
ec2:ModifyVolumeAttributeAdminWithin account storage performance changes.
ec2:MonitorInstancesAdminMonitoring frequency is managed by accounts.
ec2:MoveAddressToVpcAdmin
ec2:PurchaseHostReservationAdminAccounts can manage their own dedicated hosts.
ec2:PurchaseReservedInstancesOfferingAdminAccounts can manage their own reserved instances (but cannot resell them).
ec2:PurchaseScheduledInstancesOwnerLong term subscriptions are managed by owners.
ec2:RebootInstancesOperatorOperators can start stop and reboot existing instances.
ec2:RegisterImageWhitelistOptional image management. Registers an AMI for launching; typically done automatically as part of CreateImage
ec2:RegisterInstanceEventNotificationAttributesAdmin
ec2:ReleaseAddressAdminAdmins can release elastic IP addresses.
ec2:ReleaseHostsAdmin
ec2:ReplaceIamInstanceProfileAssociationAdminAdmins manage IAM instance profile associations for existing instances.
ec2:ReportInstanceStatusOperatorOperators can report bad instances to AWS support.
ec2:RequestSpotFleetAdmin
ec2:RequestSpotInstancesAdminAccounts can safely use spot instances within their VPC.
ec2:ResetEbsDefaultKmsKeyIdAdminAdmins can reset default KMS key for EBS Encryption by Default to the AWS managed CMK for EBS.
ec2:ResetFpgaImageAttributeAdminResets the the load permission attribute.
ec2:ResetImageAttributeWhitelistOptional image attribute management
ec2:ResetInstanceAttributeAdminInstances are managed by accounts.
ec2:ResetNetworkInterfaceAttributeAdminNetwork interfaces can be safely used by the account inside the VPC context.
ec2:ResetSnapshotAttributeAdmin
ec2:RestoreAddressToClassicAdminEC2 classic should not be used
ec2:RestoreSnapshotTierAdmin
ec2:RestoreSnapshotFromRecycleBinAdmin
ec2:RunInstancesAdminOnly Admin can create new instances.
ec2:RunScheduledInstancesAdmin
ec2:SendDiagnosticInterruptAdmin
ec2:SendSpotInstanceInterruptionsAdmin
ec2:StartInstancesOperatorOperators can start stop and reboot existing instances.
ec2:StopInstancesOperatorOperators can start stop and reboot existing instances.
ec2:TerminateInstancesAdminOnly Admin can terminate instances.
ec2:UnassignIpv6AddressesAdminPrivate IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:UnassignPrivateIpAddressesAdminPrivate IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:UnmonitorInstancesAdminMonitoring frequency is managed by accounts.
elastic-inference:ConnectAdmin
elasticloadbalancing:AddListenerCertificatesAdminAdmin can add specified certificate to the specified secure listener.
elasticloadbalancing:AddTagsOperatorOperators can manage tags metadata about ELB.
elasticloadbalancing:ApplySecurityGroupsToLoadBalancerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:AttachLoadBalancerToSubnetsAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:ConfigureHealthCheckAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateAppCookieStickinessPolicyAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLBCookieStickinessPolicyAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateListenerAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancerListenersAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancerListenersAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancerPolicyAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateRuleAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateTargetGroupAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteListenerAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteLoadBalancerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteLoadBalancerListenersAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteLoadBalancerPolicyAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteRuleAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteTargetGroupAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeregisterInstancesFromLoadBalancerOperatorOperators can manage individual instances on the ELB as part of being able to stop start and reboot servers.
elasticloadbalancing:DeregisterTargetsOperatorOperators can manage individual instances on the ALB as part of being able to stop start and reboot servers.
elasticloadbalancing:DescribeAccountLimitsMetadata
elasticloadbalancing:DescribeInstanceHealthMetadata
elasticloadbalancing:DescribeListenerCertificatesMetadata
elasticloadbalancing:DescribeListenersMetadata
elasticloadbalancing:DescribeLoadBalancerAttributesMetadata
elasticloadbalancing:DescribeLoadBalancerPoliciesMetadata
elasticloadbalancing:DescribeLoadBalancerPolicyTypesMetadata
elasticloadbalancing:DescribeLoadBalancersMetadata
elasticloadbalancing:DescribeRulesMetadata
elasticloadbalancing:DescribeSSLPoliciesMetadata
elasticloadbalancing:DescribeTagsMetadata
elasticloadbalancing:DescribeTargetGroupAttributesMetadata
elasticloadbalancing:DescribeTargetGroupsMetadata
elasticloadbalancing:DescribeTargetHealthMetadata
elasticloadbalancing:DetachLoadBalancerFromSubnetsAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DisableAvailabilityZonesForLoadBalancerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:EnableAvailabilityZonesForLoadBalancerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyListenerAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyLoadBalancerAttributesAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyRuleAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyTargetGroupAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyTargetGroupAttributesAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:RegisterInstancesWithLoadBalancerOperatorOperators can manage individual instances on the ELB as part of being able to stop start and reboot servers.
elasticloadbalancing:RegisterTargetsOperatorOperators can manage individual instances on the ELB as part of being able to stop start and reboot servers.
elasticloadbalancing:RemoveListenerCertificatesAdminAdmin can remove the specified certificate from the specified secure listener.
elasticloadbalancing:RemoveTagsOperatorOperators can manage tags metadata about ELB.
elasticloadbalancing:SetIpAddressTypeAdmin
elasticloadbalancing:SetLoadBalancerListenerSSLCertificateAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerListenerSSLCertificateAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerPoliciesOfListenerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerPoliciesOfListenerAdminAccounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetRulePrioritiesAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:SetSecurityGroupsAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:SetSubnetsAdminAccounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:SetWebAclAdmin
health:DescribeEventAggregatesMetadata
iam:PassRoleAdmin
kms:ListAliasesMetadata
marketplacecommerceanalytics:GenerateDataSetAdminAdministrators may access product and customer data on the AWS Marketplace.
marketplacecommerceanalytics:StartSupportDataExportAdminAdministrators may access product and customer data on the AWS Marketplace.

Learn More About Guardrails

Version
5.35.0
Released On
Sep 15, 2023

Resource Types

Control Types

Policy Types

Release Notes

5.35.0 (2023-09-15)

Bug fixes

  • After starting/stopping an instance successfully, the AWS > EC2 > Instance > Schedule control would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.

Policy Types

Added

  • AWS > EC2 > Instance > Schedule Tag > Name

5.34.0 (2023-08-01)

What's new?

  • We'd sometimes fail to update/cleanup stopped/terminated instances via real-time events if the instances were handled via OS level commands. We've now added support for real-time event handling of EC2 Instance State-change Notification to process EC2:StopInstances and EC2:TerminateInstances events more reliably than before. Please note that this feature will only be enabled if the aws mod is on version 5.26.0 or higher.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

5.33.0 (2023-06-29)

What's new?

  • The AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed and AWS > EC2 > Load Balancer Listener > SSL Policy > Default policies now include TLS 1.3 policies in the list of AWS SSL policies that the AWS EC2 load balancer listener can use.

Bug fixes

  • The AWS > EC2 > Key Pair > Discovery control would sometimes go into an error state if a Key Pair alias included a backslash. This is now fixed.

5.32.0 (2023-06-01)

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.
  • We've added new Turbot AKAs for AWS > EC2 resource types that match their individual unique identifiers. E.g. InstanceId will now also be a Turbot AKA for AWS > EC2 > Instance, VolumeId for AWS > EC2 > Volume etc.. Querying such resources in Turbot will now be easier than before.

5.31.8 (2023-05-12)

Bug fixes

  • In a busy environment, the AWS > EC2 > Instance > Approved control would sometimes evaluate Root Volume Encryption incorrectly and set it to Not approved even before gauging all parameters for root volume encryption. This is fixed and Root Volume Encryption will now be correctly evaluated before setting the final state of the control.

5.31.7 (2023-03-08)

Bug fixes

  • We've updated the EventBridge Rule for ElasticLoadBalancing to filter out elasticloadbalancing:DeregisterTargets and elasticloadbalancing:RegisterTargets real-time events to reduce unnecessary noise caused by the processing of such events in Turbot.

5.31.6 (2022-12-13)

Bug fixes

  • The StateReason attribute in instance's CMDB data would sometimes fail to update correctly if an instance was started/stopped. This is now fixed.

5.31.5 (2022-11-15)

Bug fixes

  • Turbot would sometimes fail to process the ec2:CreateVolume real-time event and not upsert the volume correctly in Turbot. This is fixed and volumes will now be discovered and upserted in Turbot more reliably and consistently than before.

5.31.4 (2022-11-08)

Bug fixes

  • Previously, for any missing instance, volume, snapshot or a key pair in Turbot, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Turbot CMDB to allow users to manage their resources more reliably and consistently than before.

5.31.3 (2022-09-30)

Bug fixes

  • The AWS > EC2 > Instance > Schedule control would sometimes fail to start/stop an instance as defined in AWS > EC2 > Instance > Schedule policy. This is fixed and the control will now start/stop instances more reliably and consistently than before.

5.31.2 (2022-07-18)

Bug fixes

  • We'd sometimes fail to capture start/stop real-time events for instances when multiple instances were started or stopped at the same time. This is fixed and the CMDB data for such instances will now be more consistent and reflect accurate status details.

5.31.1 (2022-07-13)

Bug fixes

  • The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.

5.31.0 (2022-07-12)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Action Types

Added

  • AWS > EC2 > AMI > Delete from AWS
  • AWS > EC2 > AMI > Set Tags
  • AWS > EC2 > AMI > Skip alarm for Active control
  • AWS > EC2 > AMI > Skip alarm for Active control [90 days]
  • AWS > EC2 > AMI > Skip alarm for Approved control
  • AWS > EC2 > AMI > Skip alarm for Approved control [90 days]
  • AWS > EC2 > AMI > Skip alarm for Tags control
  • AWS > EC2 > AMI > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Application Load Balancer > Delete from AWS
  • AWS > EC2 > Application Load Balancer > Set Tags
  • AWS > EC2 > Application Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Application Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Application Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Application Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Application Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Application Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Auto Scaling Group > Delete from AWS
  • AWS > EC2 > Auto Scaling Group > Set Tags
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Active control
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Active control [90 days]
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Approved control
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Tags control
  • AWS > EC2 > Auto Scaling Group > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Classic Load Balancer > Delete from AWS
  • AWS > EC2 > Classic Load Balancer > Set Tags
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Classic Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Classic Load Balancer Listener > Delete from AWS
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Active control
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Active control [90 days]
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Approved control
  • AWS > EC2 > Classic Load Balancer Listener > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Gateway Load Balancer > Delete from AWS
  • AWS > EC2 > Gateway Load Balancer > Set Tags
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Gateway Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Instance > Delete from AWS
  • AWS > EC2 > Instance > Disable Termination Protection
  • AWS > EC2 > Instance > Enable Termination Protection
  • AWS > EC2 > Instance > Set Tags
  • AWS > EC2 > Instance > Skip alarm for Active control
  • AWS > EC2 > Instance > Skip alarm for Active control [90 days]
  • AWS > EC2 > Instance > Skip alarm for Approved control
  • AWS > EC2 > Instance > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Instance > Skip alarm for Tags control
  • AWS > EC2 > Instance > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Instance > Start Instance
  • AWS > EC2 > Instance > Stop Instance
  • AWS > EC2 > Key Pair > Delete from AWS
  • AWS > EC2 > Key Pair > Set Tags
  • AWS > EC2 > Key Pair > Skip alarm for Active control
  • AWS > EC2 > Key Pair > Skip alarm for Active control [90 days]
  • AWS > EC2 > Key Pair > Skip alarm for Approved control
  • AWS > EC2 > Key Pair > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Key Pair > Skip alarm for Tags control
  • AWS > EC2 > Key Pair > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Launch Configuration > Delete from AWS
  • AWS > EC2 > Launch Configuration > Skip alarm for Active control
  • AWS > EC2 > Launch Configuration > Skip alarm for Active control [90 days]
  • AWS > EC2 > Launch Configuration > Skip alarm for Approved control
  • AWS > EC2 > Launch Configuration > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Launch Template > Delete from AWS
  • AWS > EC2 > Launch Template > Set Tags
  • AWS > EC2 > Launch Template > Skip alarm for Active control
  • AWS > EC2 > Launch Template > Skip alarm for Active control [90 days]
  • AWS > EC2 > Launch Template > Skip alarm for Approved control
  • AWS > EC2 > Launch Template > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Launch Template > Skip alarm for Tags control
  • AWS > EC2 > Launch Template > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Launch Template Version > Delete from AWS
  • AWS > EC2 > Launch Template Version > Skip alarm for Active control
  • AWS > EC2 > Launch Template Version > Skip alarm for Active control [90 days]
  • AWS > EC2 > Launch Template Version > Skip alarm for Approved control
  • AWS > EC2 > Launch Template Version > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Listener Rule > Delete from AWS
  • AWS > EC2 > Listener Rule > Skip alarm for Active control
  • AWS > EC2 > Listener Rule > Skip alarm for Active control [90 days]
  • AWS > EC2 > Listener Rule > Skip alarm for Approved control
  • AWS > EC2 > Listener Rule > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Load Balancer Listener > Delete from AWS
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Active control
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Active control [90 days]
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Approved control
  • AWS > EC2 > Load Balancer Listener > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Network Interface > Delete from AWS
  • AWS > EC2 > Network Interface > Set Tags
  • AWS > EC2 > Network Interface > Skip alarm for Active control
  • AWS > EC2 > Network Interface > Skip alarm for Active control [90 days]
  • AWS > EC2 > Network Interface > Skip alarm for Approved control
  • AWS > EC2 > Network Interface > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Network Interface > Skip alarm for Tags control
  • AWS > EC2 > Network Interface > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Network Load Balancer > Delete from AWS
  • AWS > EC2 > Network Load Balancer > Set Tags
  • AWS > EC2 > Network Load Balancer > Skip alarm for Active control
  • AWS > EC2 > Network Load Balancer > Skip alarm for Active control [90 days]
  • AWS > EC2 > Network Load Balancer > Skip alarm for Approved control
  • AWS > EC2 > Network Load Balancer > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Network Load Balancer > Skip alarm for Tags control
  • AWS > EC2 > Network Load Balancer > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Snapshot > Delete from AWS
  • AWS > EC2 > Snapshot > Set Tags
  • AWS > EC2 > Snapshot > Skip alarm for Active control
  • AWS > EC2 > Snapshot > Skip alarm for Active control [90 days]
  • AWS > EC2 > Snapshot > Skip alarm for Approved control
  • AWS > EC2 > Snapshot > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Snapshot > Skip alarm for Tags control
  • AWS > EC2 > Snapshot > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Target Group > Delete from AWS
  • AWS > EC2 > Target Group > Set Tags
  • AWS > EC2 > Target Group > Skip alarm for Active control
  • AWS > EC2 > Target Group > Skip alarm for Active control [90 days]
  • AWS > EC2 > Target Group > Skip alarm for Approved control
  • AWS > EC2 > Target Group > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Target Group > Skip alarm for Tags control
  • AWS > EC2 > Target Group > Skip alarm for Tags control [90 days]
  • AWS > EC2 > Volume > Detach, snapshot and delete from AWS
  • AWS > EC2 > Volume > Set Tags
  • AWS > EC2 > Volume > Skip alarm for Active control
  • AWS > EC2 > Volume > Skip alarm for Active control [90 days]
  • AWS > EC2 > Volume > Skip alarm for Approved control
  • AWS > EC2 > Volume > Skip alarm for Approved control [90 days]
  • AWS > EC2 > Volume > Skip alarm for Tags control
  • AWS > EC2 > Volume > Skip alarm for Tags control [90 days]

5.30.2 (2022-05-11)

Bug fixes

  • The AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed and AWS > EC2 > Load Balancer Listener > SSL Policy > Default policies now include ELBSecurityPolicy-FS-1-2-Res-2020-10 in the list of AWS SSL policies that the AWS EC2 load balancer listener can use.

5.30.1 (2022-04-12)

Bug fixes

  • AWS > EC2 > Snapshot > CMDB control will now re-run after a 5 minute interval if a snapshot is in a transitional state, e.g. pending or recovering. This will allow the snapshot's CMDB data to be more reliable than before.

5.30.0 (2022-03-04)

Policy Types

Added

  • AWS > EC2 > Instance > Default Platform

5.29.1 (2022-03-02)

Bug fixes

  • The AWS > EC2 > Instance > Approved control would go into an error state if the AWS > EC2 > Instance > Approved > Image > * policies were set and the AMI was deleted/not available in AWS. This is now fixed.
  • The AWS > EC2 > Instance > Approved control would sometimes go into an error state if the AWS > EC2 > Instance > Approved > Image > Publishers policy included account IDs. This is now fixed.

5.29.0 (2022-02-04)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Policy Types

Added

  • AWS > EC2 > AMI > Approved > Custom
  • AWS > EC2 > Application Load Balancer > Approved > Custom
  • AWS > EC2 > Auto Scaling Group > Approved > Custom
  • AWS > EC2 > Classic Load Balancer > Approved > Custom
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
  • AWS > EC2 > Gateway Load Balancer > Approved > Custom
  • AWS > EC2 > Instance > Approved > Custom
  • AWS > EC2 > Key Pair > Approved > Custom
  • AWS > EC2 > Launch Configuration > Approved > Custom
  • AWS > EC2 > Launch Template > Approved > Custom
  • AWS > EC2 > Launch Template Version > Approved > Custom
  • AWS > EC2 > Listener Rule > Approved > Custom
  • AWS > EC2 > Load Balancer Listener > Approved > Custom
  • AWS > EC2 > Network Interface > Approved > Custom
  • AWS > EC2 > Network Load Balancer > Approved > Custom
  • AWS > EC2 > Snapshot > Approved > Custom
  • AWS > EC2 > Target Group > Approved > Custom
  • AWS > EC2 > Volume > Approved > Custom

5.28.4 (2022-02-01)

Bug fixes

  • The AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-ec2 policy would fail to compile the lockdown statements correctly if the AWS > EC2 > Instance > Approved > Image > Publishers policy included account IDs. This is now fixed.

5.28.3 (2022-01-28)

Bug fixes

  • The AWS > EC2 > Instance > Schedule control would incorrectly go into a skipped state if the AWS > EC2 > Instance > Schedule policy was set to Skip but the AWS > EC2 > Instance > Schedule Tag policy was set to Enforce: Schedule per turbot_custom_schedule tag. This is fixed and the control will now work as expected.

5.28.2 (2022-01-27)

Bug fixes

  • Turbot would sometimes show unnecessary error notifications for volumes in the activity tab while processing EC2:RunInstances event. This is now fixed.

5.28.1 (2022-01-17)

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would delete an instance incorrectly if the AMI used for creating the instance was deleted or made private. This is now fixed.

5.28.0 (2022-01-10)

What's new?

  • The AWS > EC2 > Instance > Approved control would sometimes go into an Invalid state incorrectly because the root volume attached to the instance was not discovered consistently in Turbot for newly created instances. We've now added support for real-time event handling of EBS Volume Notifications to process EC2:CreateVolume, EC2:ModifyVolume and EC2:DeleteVolume events more reliably than before. This would also enable the AWS > EC2 > Instance > Approved control to evaluate the outcome correctly and consistently. Please note that this feature will only be enabled if the aws mod is on version 5.21.0 or higher.

5.27.0 (2021-12-21)

What's new?

  • AWS/EC2/Admin AWS/EC2/Metadata and AWS/EC2/Operator now include permissions for Capacity Reservation Fleet, Instance Event Window, Managed Prefix List, Snapshots In Recycle Bin, Warm Pool and Public Ipv4 Pool.

Policy Types

Added

  • AWS > EC2 > Permissions > Lockdown > Instance
  • AWS > EC2 > Permissions > Lockdown > Instance > Image
  • AWS > EC2 > Permissions > Lockdown > Instance > Image > AMI IDs
  • AWS > EC2 > Permissions > Lockdown > Instance > Image > Publishers

5.26.0 (2021-09-17)

What's new?

  • Auto Scaling Group's CMDB data will now include details of its scheduled actions.

Bug fixes

  • The security group details under NetworkInterfaces in the Instances' CMDB data will now be properly and consistently sorted.

5.25.0 (2021-07-22)

What's new?

  • AWS/EC2 permission levels now include autoscaling plans, autoscaling instance refresh and public Ipv4 Pool permissions.

5.24.0 (2021-07-08)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.23.0 (2021-06-23)

What's new?

  • AWS/EC2/Admin now includes capacity reservation, fleet permissions, and elastic inference permissions.

    AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-ec2 policy now includes elastic-inference:* and tiros:*.

5.22.0 (2021-06-21)

Resource Types

Added

  • AWS > EC2 > Account Attributes

Control Types

Added

  • AWS > EC2 > Account Attributes > CMDB
  • AWS > EC2 > Account Attributes > Discovery
  • AWS > EC2 > Account Attributes > EBS Encryption by Default

Policy Types

Added

  • AWS > EC2 > Account Attributes > CMDB
  • AWS > EC2 > Account Attributes > EBS Encryption by Default
  • AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
  • AWS > EC2 > Account Attributes > Regions

Action Types

Added

  • AWS > EC2 > Account Attributes > Router
  • AWS > EC2 > Account Attributes > Update EBS Encryption by Default

5.21.6 (2021-05-18)

Bug fixes

  • We've improved our retry mechanism for throttling errors on API calls to be more efficient. You won’t notice any difference, but things should run better than before.

5.21.5 (2021-05-13)

Bug fixes

  • We've updated the AWS > EC2 > Permissions > Lockdown > Instance Types and AWS > EC2 > Permissions > Lockdown > Volume Types policies' default values to be [*]. This will allow these policies to run much lighter and faster than before.

    We recommend that users include instance types from all AWS > EC2 > Instance > Approved > Instance Types policy settings and volume types from all AWS > EC2 > Volume > Approved > Volume Types policy settings in their respective lockdown policies to ensure that these lockdown policies do not restrict any approved instance or volume types.

5.21.4 (2021-05-06)

Bug fixes

  • We made some improvements earlier to upsert snapshots automatically if they were created from instances, but that wouldn't work since we did not add the ec2:CreateSnapshots event in the EventBridge rule for EC2. This is now fixed and snapshots created from instances will now be upserted automatically via real-time event handling in Turbot.

    We recommend that users run the AWS > EC2 > Snapshot > Discovery control to upsert all snapshots that Turbot might have missed upserting earlier. This will help Turbot manage all such snapshots correctly.

5.21.3 (2021-05-05)

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would sometimes go into an error state for terminated instances and would fail to delete such instances from Turbot. This is now fixed.
  • Turbot will now raise EC2:BidEvictedEvent events correctly to handle spot instance interruptions for spot instances.
  • Snapshots created from instances were not upserted automatically into Turbot. This is now fixed.

5.21.2 (2021-04-23)

Bug fixes

  • We've improved the way we refresh the CMDB data for instances, snapshots and volumes for tagging events like EC2:CreateTags and EC2:DeleteTags. We understand that API calls are expensive and we'll now make fewer of them for such events, and the respective CMDB controls will run lighter than before.

5.21.1 (2021-04-13)

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.

5.21.0 (2021-04-02)

What's new?

  • We've improved our event handling configuration and now filter which AWS events Turbot listens for based on resources' CMDB policies. If a resource's CMDB policy is not set to Enforce: Enabled, the EventBridge rules will be configured to not send any events for that resource. This will greatly reduce the number of unnecessary events that Turbot listens for and handles today. Please note that this feature will only be enabled for workspaces on TE v5.36.0 or higher, and the following VPC mods aws-vpc-core, aws-vpc-internet, aws-vpc-connect or aws-vpc-security, for the ones installed, are on v5.10.0, 5.7.0, 5.5.0 and 5.5.0 or higher respectively, since these VPC mods also use EC2 events for their respective resources. We recommend upgrading the aws-ec2 mod to v5.21.0 first and then upgrade the installed VPC mods to the versions mentioned above for a smooth transition to using the events filtering capability.

Policy Types

Added

  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2

Removed

  • AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-ec2

5.20.0 (2021-03-19)

Bug fixes

  • The AWS > EC2 > Snapshot > Approved control would sometimes go into an error state if the KMS key used to encrypt the snapshot was not available in Turbot CMDB. This is fixed and the control will now work as expected.

Resource Types

Added

  • AWS > EC2 > Gateway Load Balancer

Control Types

Added

  • AWS > EC2 > Gateway Load Balancer > Active
  • AWS > EC2 > Gateway Load Balancer > Approved
  • AWS > EC2 > Gateway Load Balancer > CMDB
  • AWS > EC2 > Gateway Load Balancer > Discovery
  • AWS > EC2 > Gateway Load Balancer > Tags
  • AWS > EC2 > Gateway Load Balancer > Usage

Policy Types

Added

  • AWS > EC2 > Gateway Load Balancer > Active
  • AWS > EC2 > Gateway Load Balancer > Active > Age
  • AWS > EC2 > Gateway Load Balancer > Active > Budget
  • AWS > EC2 > Gateway Load Balancer > Active > Last Modified
  • AWS > EC2 > Gateway Load Balancer > Approved
  • AWS > EC2 > Gateway Load Balancer > Approved > Budget
  • AWS > EC2 > Gateway Load Balancer > Approved > Regions
  • AWS > EC2 > Gateway Load Balancer > Approved > Usage
  • AWS > EC2 > Gateway Load Balancer > CMDB
  • AWS > EC2 > Gateway Load Balancer > Regions
  • AWS > EC2 > Gateway Load Balancer > Tags
  • AWS > EC2 > Gateway Load Balancer > Tags > Template
  • AWS > EC2 > Gateway Load Balancer > Usage
  • AWS > EC2 > Gateway Load Balancer > Usage > Limit

Action Types

Added

  • AWS > EC2 > Gateway Load Balancer > Delete
  • AWS > EC2 > Gateway Load Balancer > Router
  • AWS > EC2 > Gateway Load Balancer > Update Tags

5.19.0 (2021-03-01)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

  • While gathering resource data in the AWS > EC2 > Instance > CMDB and AWS > EC2 > Volume > CMDB controls, sometimes we'd hit API throttling errors due to the CMDB controls calling multiple APIs each run in an effort to gather all related resource data. To provide an easy way to configure which APIs are called in each CMDB control, we've added the AWS > EC2 > Instance > CMDB > Attributes and AWS > EC2 > Volume > CMDB > Attributes policies.

    In each of these policies, you can select which attributes Turbot will track in CMDB for the respective resource type. Any unselected attributes will not be tracked, which results in fewer API calls. Please note that if an attribute is changed from tracked to untracked, it will be removed from the resource's CMDB data to avoid us keeping stale information.

Policy Types

Added

  • AWS > EC2 > Instance > CMDB > Attributes
  • AWS > EC2 > Volume > CMDB > Attributes

5.18.7 (2021-02-09)

Bug fixes

  • The AWS > EC2 > Network Interface > Active control will no longer go into error if the network interface is detached and the attachment check is enabled.
  • The AWS > EC2 > Volume > Active control will no longer go into error if the volume is detached and the attachment check is enabled.
  • The AWS > EC2 > Instance > CMDB control will no longer attempt to describe the instance's enclave options for instances in the us-gov-east-1 and us-gov-west-1 regions due to lack of GovCloud support.

5.18.6 (2021-02-05)

Bug fixes

  • We've updated the AWS > EC2 > Instance > Discovery control to sort the NetworkInterfaces and Tags properties in the same way the AWS > EC2 > Instance > CMDB control sorts them to ensure instances' CMDB data remains consistent.
  • The AWS > EC2 > Instance > Router action would sometimes throw an error when an instance with no attached volumes was deleted. This is now fixed.
  • After an instance is terminated, AWS either deletes or detaches any attached volumes based on the volumes' DeleteOnTermination setting. For these volumes, sometimes we'd fail to delete or update them respectively in CMDB after handling the instance termination event. Both of these cases are now fixed and volumes are deleted and updated as expected.

5.18.5 (2021-01-29)

Bug fixes

  • The root volume encryption check in AWS > EC2 > Instance > Approved control would incorrectly show Invalid if there was no root volume attached to the instance. This is fixed and it will now show up as Approved.

  • The AWS > EC2 > Target Group > CMDB control would sometimes go into an error state showing a Validation Error if a load balancer was deleted since we'd move the attached target group under an incorrect parent. This is now fixed.

  • The AWS > EC2 > Instance > Approved control will now wait a few minutes before going into the invalid state if the instance's root volume is not in CMDB yet (root volume information is required for the AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest check). This will help avoid unnecessary TBD->Invalid->OK state change sequences for new instances, as the instance may be created in CMDB before its root volume is due to event handling order.

5.18.4 (2021-01-18)

Bug fixes

  • The AWS > EC2 > Snapshot > Discovery control now moves into alarm if there are more than 100k snapshots in a region (we still limit the control to upserting only 100k in a single run).

5.18.3 (2021-01-14)

Bug fixes

  • The AWS > EC2 > Snapshot > Discovery control's lambda function's timeout has been increased from 5 minutes to 15 minutes to better handle upserting a large number of snapshots. This control will also now limit resource data to required fields and only upsert up to 100,000 snapshots in a single run in order to avoid payload size errors. If you have a use case that exceeds this limit, please contact support.

5.18.2 (2020-12-29)

Bug fixes

  • The AWS > EC2 > Snapshot > Discovery control's lambda function's memory has been increased from 512 MB to 2048 MB to better handle upserting a large number of snapshots.
  • We've improved the AWS > EC2 > Volume > Discovery control to run faster and lighter when discovering volumes for newly created instances. You won't notice any difference, but the control is better than it was before.

5.18.1 (2020-12-24)

Bug fixes

  • Sometimes when multiple instances were terminated in an ec2:TerminateInstances event, not all of the instances' attached volumes would be cleaned up properly in CMDB. This has been fixed.

    We also fixed a bug that would sometimes cause only the first instance in an ec2:RunInstances event to be created in CMDB.

5.18.0 (2020-12-21)

What's new?

  • The AWS > EC2 > Instance > Approved control can now check if an instance is approved or not based on the AMI which was used to launch it. To enable this approved check, please set the AWS > EC2 > Instance > Approved > Image policy.

Bug fixes

  • The AWS > EC2 > Instance > Detailed Monitoring control would incorrectly go to an Invalid state if the AWS > EC2 > Instance > Detailed Monitoring policy was set to Skip. This has now been fixed and the AWS > EC2 > Instance > Detailed Monitoring control will now correctly be in skipped state if its policy value is set to Skip.

Policy Types

Added

  • AWS > EC2 > Instance > Approved > Image
  • AWS > EC2 > Instance > Approved > Image > AMI IDs
  • AWS > EC2 > Instance > Approved > Image > Publishers

5.17.5 (2020-12-14)

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would sometimes go into an error state if no network interfaces were attached to the instance. This is now fixed.

5.17.4 (2020-12-07)

Bug fixes

  • We've optimized the GraphQL queries for various controls when they're in the tbd and skipped states. You won't notice any difference but they should run a lot lighter now.

  • We've updated various resources' Discovery and CMDB controls to ensure array properties are consistently sorted in the CMDB.

  • We've removed the AWS > EC2 > Instance > Active > Attached policy which was added incorrectly. There will be no impact on the AWS > EC2 > Instance > Active control which would work smoothly as before.

Policy Types

Removed

  • AWS > EC2 > Instance > Active > Attached

5.17.3 (2020-11-16)

Bug fixes

  • We've fixed an issue that resulted in the AWS > EC2 > Instance > Discovery control never upserting any instances, even if there were some present in the region.

5.17.2 (2020-11-16)

Bug fixes

  • Whenever classic load balancers were created, we failed to upsert them automatically in our CMDB. This issue has now been fixed.

5.17.1 (2020-11-06)

Bug fixes

  • Our real-time event handling for tag updates of EC2 resources will now be smoother, and the tags will be sorted consistently across the EC2 Discovery and CMDB controls.

5.17.0 (2020-11-03)

Bug fixes

  • We have made some improvements to our real-time event handling for EC2 resource tag updates. You won't notice a difference, but updates should run faster and smoother.

Resource Types

Added

  • AWS > EC2 > Classic Load Balancer Listener

Control Types

Added

  • AWS > EC2 > Classic Load Balancer Listener > Active
  • AWS > EC2 > Classic Load Balancer Listener > Approved
  • AWS > EC2 > Classic Load Balancer Listener > CMDB
  • AWS > EC2 > Classic Load Balancer Listener > Discovery
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy
  • AWS > EC2 > Classic Load Balancer Listener > Usage

Policy Types

Added

  • AWS > EC2 > Classic Load Balancer Listener > Active
  • AWS > EC2 > Classic Load Balancer Listener > Active > Age
  • AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
  • AWS > EC2 > Classic Load Balancer Listener > Approved
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
  • AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
  • AWS > EC2 > Classic Load Balancer Listener > CMDB
  • AWS > EC2 > Classic Load Balancer Listener > Regions
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
  • AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
  • AWS > EC2 > Classic Load Balancer Listener > Usage
  • AWS > EC2 > Classic Load Balancer Listener > Usage > Limit
  • AWS > EC2 > Load Balancer Listener > Approved > Ports
  • AWS > EC2 > Load Balancer Listener > Approved > Protocols

Action Types

Added

  • AWS > EC2 > Classic Load Balancer Listener > Delete
  • AWS > EC2 > Classic Load Balancer Listener > Router
  • AWS > EC2 > Classic Load Balancer Listener > Update SSL Policy

5.16.2 (2020-10-28)

Bug fixes

  • The AWS > EC2 > Instance > Discovery control will no longer upsert instances that are in the shutting-down or terminated states, as these instances are not useful to track in CMDB.
  • Whenever network load balancers were created we did not upsert them automatically into our CMDB. This issue has now been fixed.
  • The AWS > EC2 > Instance > CMDB control will now re-trigger after 1 minute instead of 5 if the instance is in the pending, shutting-down or stopping state. This will enable all the dependent controls and policies to be updated much faster.

5.16.1 (2020-10-19)

Bug fixes

  • After an instance was deleted, we'd fail to delete its root volume from CMDB sometimes and create noisy error notifications. This has been fixed and root volumes are cleaned up properly now.
  • The AWS > EC2 > Instance > CMDB control was continuously running every 5 minutes if the instance was in a running state. This is now fixed and the AWS > EC2 > Instance > CMDB control will only run when required.

5.16.0 (2020-10-13)

Bug fixes

  • We've fixed an invalid GraphQL input for the AWS > EC2 > Target Group > Discovery control which caused it to remain in an error state.
  • We failed to upsert AMIs into CMDB when they were created by copying existing AMIs from different regions. This issue has now been fixed.

Control Types

Added

  • AWS > EC2 > Load Balancer Listener > SSL Policy

Policy Types

Added

  • AWS > EC2 > Load Balancer Listener > SSL Policy
  • AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
  • AWS > EC2 > Load Balancer Listener > SSL Policy > Default

Action Types

Added

  • AWS > EC2 > Load Balancer Listener > Update SSL Policy

5.15.0 (2020-10-06)

What's new?

  • The AWS > EC2 > Volume > Active control can now check if a volume is attached to any resource or not. To enable this active check, please set the AWS > EC2 > Volume > Active > Attached policy.

Policy Types

Added

  • AWS > EC2 > Volume > Active > Attached

5.14.1 (2020-09-29)

Bug fixes

  • We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.14.0 (2020-09-03)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

Bug fixes

  • The AWS > ECS > Auto-Scaling Group > Router action was incorrectly attempting to handle ec2:CreateTags events, which would result in multiple error notifications from the action. This has been fixed.

5.13.0 (2020-08-18)

Control Types

Added

  • AWS > EC2 > Instance > Detailed Monitoring
  • AWS > EC2 > Instance > Termination Protection

Policy Types

Added

  • AWS > EC2 > Instance > Detailed Monitoring
  • AWS > EC2 > Instance > Termination Protection

Action Types

Added

  • AWS > EC2 > Instance > Update Detailed Monitoring
  • AWS > EC2 > Instance > Update Termination Protection

5.12.2 (2020-08-18)

Bug fixes

  • After an EC2 instance was terminated, if its attached network interfaces were also deleted at the same time, these deleted network interfaces were not correctly removed from CMDB. This issue has now been fixed.

5.12.1 (2020-08-14)

Bug fixes

  • Minor improvements were made to the AWS > EC2 > Instance > Schedule control to make sure that you can start or stop your instances effectively without any errors

  • Root volumes can no longer be deleted by AWS > EC2 > Volume > Approved or AWS > EC2 > Volume > Active control when they are attached to instances which are in stopped state. This will make sure that the instances on rebooting do not go into an error state due to the unavailability of attached root volumes.

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

Policy Types

Renamed

  • AWS > EC2 > Instance > Schedule > Tag to AWS > EC2 > Instance > Schedule Tag

5.12.0 (2020-07-29)

What's new?

  • AWS/EC2/Admin now includes reserved instances, product instances and FPGA image management permissions.

  • Cross-account trust is important for complex enterprise and application scenarios, but is also a critical area for security controls. We now support controlling cross-account access for AMIs and snapshots to provide automatic protection against unexpected cross-account access.

    A common set of trusted AWS account IDs can be defined in the AWS > Account > Trusted Accounts [Default] policy. Trusted accounts can also be defined at any level, even down to the specific AMI or snapshot resource.

    To get started with these new controls, please see the AWS > EC2 > AMI > Trusted Access and AWS > EC2 > Snapshot> Trusted Access policies.

Control Types

Added

  • AWS > EC2 > AMI > Trusted Access
  • AWS > EC2 > Snapshot > Trusted Access

Policy Types

Added

  • AWS > EC2 > AMI > Trusted Access
  • AWS > EC2 > AMI > Trusted Access > Accounts
  • AWS > EC2 > Snapshot > Trusted Access
  • AWS > EC2 > Snapshot > Trusted Access > Accounts
  • AWS > EC2 > Trusted Accounts [Default]

Action Types

Added

  • AWS > EC2 > AMI > Set Trusted Access
  • AWS > EC2 > Snapshot > Set Trusted Access

5.11.0 (2020-07-16)

What's new?

  • Target group attachment resources can now be created by the AWS > Account > Stack or AWS > Region > Stack controls. For more information on creating these resource types through Terraform, please see the Terraform resource page.

5.10.2 (2020-07-01)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.
  • When determining the creation time of an instance, we were incorrectly using its LaunchTime property, which would update whenever an instance was stopped and then started again. Instead we now use the attachment time of its primary network interface, as the primary network interface cannot be detached, so the creation time will be more accurate and remain consistent throughout an instance's lifecycle.

5.10.1 (2020-06-26)

Bug fixes

  • Real-time events for key pairs were not being handled properly, resulting in outdated key pair CMDB information. This issue has been fixed.
  • In aws-ec2 (5.9.0), we added an ARN using the key pair ID as another AKA to the key pair resource type. This change would sometimes cause the AWS > EC2 > Key Pair > Discovery control to error out when attempting to update existing key pairs with the new AKA. This issue has been fixed.

5.10.0 (2020-06-26)

What's new?

  • The AWS > EC2 > Instance > Approved control can now stop unapproved instances (previously only deleting them was available). This feature can be used to either stop all unapproved instances or just those that have been newly created by setting the AWS > EC2 > Instance > Approved policy to Enforce: Stop unapproved or Enforce: Stop unapproved if new respectively.

5.9.0 (2020-06-19)

What's new?

  • We've added another AKA to key pairs, which is an ARN with the key pair ID as the unique identifier, e.g., arn:aws:ec2:us-east-1:123456789012:key-pair/key-012345abc. Previously, we only supported an ARN that used the key pair name, but now we store both formats.

Control Types

Added

  • AWS > EC2 > Key Pair > Tags

Policy Types

Added

  • AWS > EC2 > Key Pair > Tags
  • AWS > EC2 > Key Pair > Tags > Template

Action Types

Added

  • AWS > EC2 > Key Pair > Update Tags

5.8.0 (2020-06-19)

What's new?

  • Access logging can now be configured for all load balancer types through their respective Access Logging controls. Access logs capture detailed information about requests sent to the load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

  • All the certificates added to the certificate list of a load balancer listener will now be available in the Certificates property.

  • Information pertaining to the health of a target group is now available in the TargetHealthDescriptions property.

  • CMDB of a target group will be updated automatically whenever targets like instance IDs, IP addresses, or Lambda functions are registered or deregistered.

Bug fixes

  • Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.

Control Types

Added

  • AWS > EC2 > Application Load Balancer > Access Logging
  • AWS > EC2 > Classic Load Balancer > Access Logging
  • AWS > EC2 > Network Load Balancer > Access Logging

Policy Types

Added

  • AWS > EC2 > Application Load Balancer > Access Logging
  • AWS > EC2 > Application Load Balancer > Access Logging > Bucket
  • AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
  • AWS > EC2 > Classic Load Balancer > Access Logging
  • AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
  • AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
  • AWS > EC2 > Network Load Balancer > Access Logging
  • AWS > EC2 > Network Load Balancer > Access Logging > Bucket
  • AWS > EC2 > Network Load Balancer > Access Logging > Key Prefix

Action Types

Added

  • AWS > EC2 > Application Load Balancer > Update Access Logging
  • AWS > EC2 > Classic Load Balancer > Update Access Logging
  • AWS > EC2 > Network Load Balancer > Update Access Logging

5.7.0 (2020-06-16)

Control Types

Added

  • AWS > EC2 > Application Load Balancer > Configured
  • AWS > EC2 > Classic Load Balancer > Configured
  • AWS > EC2 > Network Load Balancer > Configured
  • AWS > EC2 > Target Group > Configured

Policy Types

Added

  • AWS > EC2 > Application Load Balancer > Configured
  • AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
  • AWS > EC2 > Application Load Balancer > Configured > Source
  • AWS > EC2 > Classic Load Balancer > Configured
  • AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
  • AWS > EC2 > Classic Load Balancer > Configured > Source
  • AWS > EC2 > Network Load Balancer > Configured
  • AWS > EC2 > Network Load Balancer > Configured > Claim Precedence
  • AWS > EC2 > Network Load Balancer > Configured > Source
  • AWS > EC2 > Target Group > Configured
  • AWS > EC2 > Target Group > Configured > Claim Precedence
  • AWS > EC2 > Target Group > Configured > Source

5.6.0 (2020-06-16)

Control Types

Added

  • AWS > EC2 > Instance > Metadata Service

Policy Types

Added

  • AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
  • AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > Customer Managed Key
  • AWS > EC2 > Instance > Metadata Service
  • AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit

Action Types

Added

  • AWS > EC2 > Instance > Update Metadata Service

5.5.2 (2020-06-09)

Bug fixes

  • After terminating an instance, if its root volume was also deleted due to the instance's DeleteOnTermination property being set to true, Turbot would not correctly delete the root volume from CMDB. This issue has been fixed.
  • After launching a new instance, its root volume would not automatically be created in the CMDB. This has been fixed.

5.5.1 (2020-05-26)

Bug fixes

  • After stopping or starting an instance, the CMDB was not updated automatically to reflect the new state. This has been fixed.
  • When load balancers were created on an AWS console, Turbot upserted invalid load balancers with malformed aka into the CMDB. This issue has been fixed and now the desired load balancers are upserted smoothly with correct akas.
  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.5.0 (2020-05-07)

Resource Types

Added

  • AWS > EC2 > Listener Rule
  • AWS > EC2 > Load Balancer Listener

Control Types

Added

  • AWS > EC2 > AMI > Configured
  • AWS > EC2 > Instance > Configured
  • AWS > EC2 > Listener Rule > Active
  • AWS > EC2 > Listener Rule > Approved
  • AWS > EC2 > Listener Rule > CMDB
  • AWS > EC2 > Listener Rule > Configured
  • AWS > EC2 > Listener Rule > Discovery
  • AWS > EC2 > Listener Rule > Usage
  • AWS > EC2 > Load Balancer Listener > Active
  • AWS > EC2 > Load Balancer Listener > Approved
  • AWS > EC2 > Load Balancer Listener > CMDB
  • AWS > EC2 > Load Balancer Listener > Configured
  • AWS > EC2 > Load Balancer Listener > Discovery
  • AWS > EC2 > Load Balancer Listener > Usage
  • AWS > EC2 > Network Interface > Configured
  • AWS > EC2 > Snapshot > Configured
  • AWS > EC2 > Volume > Configured

Policy Types

Added

  • AWS > EC2 > AMI > Configured
  • AWS > EC2 > AMI > Configured > Claim Precedence
  • AWS > EC2 > AMI > Configured > Source
  • AWS > EC2 > Instance > Configured
  • AWS > EC2 > Instance > Configured > Claim Precedence
  • AWS > EC2 > Instance > Configured > Source
  • AWS > EC2 > Listener Rule > Active
  • AWS > EC2 > Listener Rule > Active > Age
  • AWS > EC2 > Listener Rule > Active > Budget
  • AWS > EC2 > Listener Rule > Active > Last Modified
  • AWS > EC2 > Listener Rule > Approved
  • AWS > EC2 > Listener Rule > Approved > Budget
  • AWS > EC2 > Listener Rule > Approved > Regions
  • AWS > EC2 > Listener Rule > Approved > Usage
  • AWS > EC2 > Listener Rule > CMDB
  • AWS > EC2 > Listener Rule > Configured
  • AWS > EC2 > Listener Rule > Configured > Claim Precedence
  • AWS > EC2 > Listener Rule > Configured > Source
  • AWS > EC2 > Listener Rule > Regions
  • AWS > EC2 > Listener Rule > Usage
  • AWS > EC2 > Listener Rule > Usage > Limit
  • AWS > EC2 > Load Balancer Listener > Active
  • AWS > EC2 > Load Balancer Listener > Active > Age
  • AWS > EC2 > Load Balancer Listener > Active > Last Modified
  • AWS > EC2 > Load Balancer Listener > Approved
  • AWS > EC2 > Load Balancer Listener > Approved > Regions
  • AWS > EC2 > Load Balancer Listener > Approved > Usage
  • AWS > EC2 > Load Balancer Listener > CMDB
  • AWS > EC2 > Load Balancer Listener > Configured
  • AWS > EC2 > Load Balancer Listener > Configured > Claim Precedence
  • AWS > EC2 > Load Balancer Listener > Configured > Source
  • AWS > EC2 > Load Balancer Listener > Regions
  • AWS > EC2 > Load Balancer Listener > Usage
  • AWS > EC2 > Load Balancer Listener > Usage > Limit
  • AWS > EC2 > Network Interface > Configured
  • AWS > EC2 > Network Interface > Configured > Claim Precedence
  • AWS > EC2 > Network Interface > Configured > Source
  • AWS > EC2 > Snapshot > Configured
  • AWS > EC2 > Snapshot > Configured > Claim Precedence
  • AWS > EC2 > Snapshot > Configured > Source
  • AWS > EC2 > Volume > Configured
  • AWS > EC2 > Volume > Configured > Claim Precedence
  • AWS > EC2 > Volume > Configured > Source

Action Types

Added

  • AWS > EC2 > Listener Rule > Delete
  • AWS > EC2 > Listener Rule > Router
  • AWS > EC2 > Load Balancer Listener > Delete
  • AWS > EC2 > Load Balancer Listener > Router