Control types for @turbot/aws-ec2

• AWS > EC2 > AMI > Active
• AWS > EC2 > AMI > Approved
• AWS > EC2 > AMI > CMDB
• AWS > EC2 > AMI > Configured
• AWS > EC2 > AMI > Discovery
• AWS > EC2 > AMI > Tags
• AWS > EC2 > AMI > Trusted Access
• AWS > EC2 > AMI > Usage
• AWS > EC2 > Account Attributes > Block Public Access for AMIs
• AWS > EC2 > Account Attributes > Block Public Access for Snapshots
• AWS > EC2 > Account Attributes > CMDB
• AWS > EC2 > Account Attributes > Discovery
• AWS > EC2 > Account Attributes > EBS Encryption by Default
• AWS > EC2 > Account Attributes > Instance Metadata Service Defaults
• AWS > EC2 > Application Load Balancer > Access Logging
• AWS > EC2 > Application Load Balancer > Active
• AWS > EC2 > Application Load Balancer > Approved
• AWS > EC2 > Application Load Balancer > CMDB
• AWS > EC2 > Application Load Balancer > Configured
• AWS > EC2 > Application Load Balancer > Discovery
• AWS > EC2 > Application Load Balancer > Tags
• AWS > EC2 > Application Load Balancer > Usage
• AWS > EC2 > Auto Scaling Group > Active
• AWS > EC2 > Auto Scaling Group > Approved
• AWS > EC2 > Auto Scaling Group > CMDB
• AWS > EC2 > Auto Scaling Group > Discovery
• AWS > EC2 > Auto Scaling Group > Tags
• AWS > EC2 > Auto Scaling Group > Usage
• AWS > EC2 > Classic Load Balancer > Access Logging
• AWS > EC2 > Classic Load Balancer > Active
• AWS > EC2 > Classic Load Balancer > Approved
• AWS > EC2 > Classic Load Balancer > CMDB
• AWS > EC2 > Classic Load Balancer > Configured
• AWS > EC2 > Classic Load Balancer > Discovery
• AWS > EC2 > Classic Load Balancer > Tags
• AWS > EC2 > Classic Load Balancer > Usage
• AWS > EC2 > Classic Load Balancer Listener > Active
• AWS > EC2 > Classic Load Balancer Listener > Approved
• AWS > EC2 > Classic Load Balancer Listener > CMDB
• AWS > EC2 > Classic Load Balancer Listener > Discovery
• AWS > EC2 > Classic Load Balancer Listener > SSL Policy
• AWS > EC2 > Classic Load Balancer Listener > Usage
• AWS > EC2 > Gateway Load Balancer > Active
• AWS > EC2 > Gateway Load Balancer > Approved
• AWS > EC2 > Gateway Load Balancer > CMDB
• AWS > EC2 > Gateway Load Balancer > Discovery
• AWS > EC2 > Gateway Load Balancer > Tags
• AWS > EC2 > Gateway Load Balancer > Usage
• AWS > EC2 > Instance > Active
• AWS > EC2 > Instance > Approved
• AWS > EC2 > Instance > CMDB
• AWS > EC2 > Instance > Configured
• AWS > EC2 > Instance > Detailed Monitoring
• AWS > EC2 > Instance > Discovery
• AWS > EC2 > Instance > Instance Profile
• AWS > EC2 > Instance > Metadata Service
• AWS > EC2 > Instance > Schedule
• AWS > EC2 > Instance > Tags
• AWS > EC2 > Instance > Termination Protection
• AWS > EC2 > Instance > Usage
• AWS > EC2 > Key Pair > Active
• AWS > EC2 > Key Pair > Approved
• AWS > EC2 > Key Pair > CMDB
• AWS > EC2 > Key Pair > Discovery
• AWS > EC2 > Key Pair > Tags
• AWS > EC2 > Key Pair > Usage
• AWS > EC2 > Launch Configuration > Active
• AWS > EC2 > Launch Configuration > Approved
• AWS > EC2 > Launch Configuration > CMDB
• AWS > EC2 > Launch Configuration > Discovery
• AWS > EC2 > Launch Configuration > Usage
• AWS > EC2 > Launch Template > Active
• AWS > EC2 > Launch Template > Approved
• AWS > EC2 > Launch Template > CMDB
• AWS > EC2 > Launch Template > Discovery
• AWS > EC2 > Launch Template > Tags
• AWS > EC2 > Launch Template > Usage
• AWS > EC2 > Launch Template Version > Active
• AWS > EC2 > Launch Template Version > Approved
• AWS > EC2 > Launch Template Version > CMDB
• AWS > EC2 > Launch Template Version > Discovery
• AWS > EC2 > Launch Template Version > Usage
• AWS > EC2 > Listener Rule > Active
• AWS > EC2 > Listener Rule > Approved
• AWS > EC2 > Listener Rule > CMDB
• AWS > EC2 > Listener Rule > Configured
• AWS > EC2 > Listener Rule > Discovery
• AWS > EC2 > Listener Rule > Usage
• AWS > EC2 > Load Balancer Listener > Active
• AWS > EC2 > Load Balancer Listener > Approved
• AWS > EC2 > Load Balancer Listener > CMDB
• AWS > EC2 > Load Balancer Listener > Configured
• AWS > EC2 > Load Balancer Listener > Discovery
• AWS > EC2 > Load Balancer Listener > SSL Policy
• AWS > EC2 > Load Balancer Listener > Usage
• AWS > EC2 > Network Interface > Active
• AWS > EC2 > Network Interface > Approved
• AWS > EC2 > Network Interface > CMDB
• AWS > EC2 > Network Interface > Configured
• AWS > EC2 > Network Interface > Discovery
• AWS > EC2 > Network Interface > Tags
• AWS > EC2 > Network Interface > Usage
• AWS > EC2 > Network Load Balancer > Access Logging
• AWS > EC2 > Network Load Balancer > Active
• AWS > EC2 > Network Load Balancer > Approved
• AWS > EC2 > Network Load Balancer > CMDB
• AWS > EC2 > Network Load Balancer > Configured
• AWS > EC2 > Network Load Balancer > Discovery
• AWS > EC2 > Network Load Balancer > Tags
• AWS > EC2 > Network Load Balancer > Usage
• AWS > EC2 > Snapshot > Active
• AWS > EC2 > Snapshot > Approved
• AWS > EC2 > Snapshot > CMDB
• AWS > EC2 > Snapshot > Configured
• AWS > EC2 > Snapshot > Discovery
• AWS > EC2 > Snapshot > Tags
• AWS > EC2 > Snapshot > Trusted Access
• AWS > EC2 > Snapshot > Usage
• AWS > EC2 > Target Group > Active
• AWS > EC2 > Target Group > Approved
• AWS > EC2 > Target Group > CMDB
• AWS > EC2 > Target Group > Configured
• AWS > EC2 > Target Group > Discovery
• AWS > EC2 > Target Group > Tags
• AWS > EC2 > Target Group > Usage
• AWS > EC2 > Volume > Active
• AWS > EC2 > Volume > Approved
• AWS > EC2 > Volume > CMDB
• AWS > EC2 > Volume > Configured
• AWS > EC2 > Volume > Discovery
• AWS > EC2 > Volume > Performance Configuration
• AWS > EC2 > Volume > Tags
• AWS > EC2 > Volume > Usage

AWS > EC2 > AMI > Active

Take an action when an AWS EC2 ami is not active based on the
AWS > EC2 > AMI > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > AMI > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > AMI > Approved

Take an action when an AWS EC2 ami is not approved based on AWS > EC2 > AMI > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > AMI > CMDB

Record and synchronize details for the AWS EC2 ami into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > AMI > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > AMI > Configured

Maintain AWS > EC2 > AMI configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > AMI > Discovery

Discover all AWS EC2 ami resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > AMI > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > AMI > Tags

Take an action when an AWS EC2 ami tags is not updated based on the AWS > EC2 > AMI > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > AMI > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > AMI > Trusted Access

Manage trusted access for AWS EC2 AMIs.

AWS allows EC2 AMIs to be shared with specific AWS accounts.
This control allows you to configure whether such sharing is allowed, and to which accounts.

If set to Enforce, access to non-trusted accounts will be removed.

AWS > EC2 > AMI > Usage

The Usage control determines whether the number of AWS EC2 ami resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > AMI > Usage policy, and set the limit with the AWS > EC2 > AMI > Usage > Limit policy.

AWS > EC2 > Account Attributes > Block Public Access for AMIs

Configure Block Public Access settings for Amazon Machine Images (AMIs) on AWS > EC2 > Account Attributes.

AWS > EC2 > Account Attributes > Block Public Access for Snapshots

Configure Block Public Access settings for Snapshots on AWS > EC2 > Account Attributes.

AWS > EC2 > Account Attributes > CMDB

Record and synchronize details for the AWS EC2 account attributes into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Account Attributes > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Account Attributes > Discovery

Discover all AWS EC2 account attributes resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Account Attributes > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Account Attributes > EBS Encryption by Default

Define the EBS Encryption by Default settings required for AWS > EC2 > Account Attributes.

Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.

The EBS Encryption by Default control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Account Attributes > EBS Encryption by Default > *),
raises an alarm, and takes the defined enforcement action.

AWS > EC2 > Account Attributes > Instance Metadata Service Defaults

Instance metadata is data about your instance that you can use to configure or manage the running instance.
Instance metadata is divided into categories, for example, host name, events, and security groups.

Instance metadata can be accessed from a running instance using one of the following methods:

Instance Metadata Service Version 1 (IMDSv1) – a request/response method

Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

By default, you can use either IMDSv1 or IMDSv2, or both. However, the instance metadata service can be specifically
configured to use IMDSv2 on each instance. When you specify that IMDSv2 must be used, IMDSv1 no longer works.

AWS > EC2 > Application Load Balancer > Access Logging

Define the Access Logging settings required for AWS > EC2 > Application Load Balancer.

AWS > EC2 > Application Load Balancer provides access logs that capture
detailed information about requests sent to your load
balancer. Each log contains information such as the time the
request was received, the client's IP address, latencies,
request paths, and server responses. You can use these
access logs to analyze traffic patterns and troubleshoot
issues.

AWS > EC2 > Application Load Balancer > Active

Take an action when an AWS EC2 application load balancer is not active based on the
AWS > EC2 > Application Load Balancer > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Application Load Balancer > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Application Load Balancer > Approved

Take an action when an AWS EC2 application load balancer is not approved based on AWS > EC2 > Application Load Balancer > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Application Load Balancer > CMDB

Record and synchronize details for the AWS EC2 application load balancer into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Application Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Application Load Balancer > Configured

Maintain AWS > EC2 > Application Load Balancer configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Application Load Balancer > Discovery

Discover all AWS EC2 application load balancer resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Application Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Application Load Balancer > Tags

Take an action when an AWS EC2 application load balancer tags is not updated based on the AWS > EC2 > Application Load Balancer > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Application Load Balancer > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Application Load Balancer > Usage

The Usage control determines whether the number of AWS EC2 application load balancer resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Application Load Balancer > Usage policy, and set the limit with the AWS > EC2 > Application Load Balancer > Usage > Limit policy.

AWS > EC2 > Auto Scaling Group > Active

Take an action when an AWS EC2 auto scaling group is not active based on the
AWS > EC2 > Auto Scaling Group > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Auto Scaling Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Auto Scaling Group > Approved

Take an action when an AWS EC2 auto scaling group is not approved based on AWS > EC2 > Auto Scaling Group > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Auto Scaling Group > CMDB

Record and synchronize details for the AWS EC2 auto scaling group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Auto Scaling Group > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Auto Scaling Group > Discovery

Discover all AWS EC2 auto scaling group resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Auto Scaling Group > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Auto Scaling Group > Tags

Take an action when an AWS EC2 auto scaling group tags is not updated based on the AWS > EC2 > Auto Scaling Group > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Auto Scaling Group > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Auto Scaling Group > Usage

The Usage control determines whether the number of AWS EC2 auto scaling group resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Auto Scaling Group > Usage policy, and set the limit with the AWS > EC2 > Auto Scaling Group > Usage > Limit policy.

AWS > EC2 > Classic Load Balancer > Access Logging

Define the Access Logging settings required for AWS > EC2 > Classic Load Balancer.

AWS > EC2 > Classic Load Balancer provides access logs that capture
detailed information about requests sent to your load
balancer. Each log contains information such as the time the
request was received, the client's IP address, latencies,
request paths, and server responses. You can use these
access logs to analyze traffic patterns and troubleshoot
issues.

AWS > EC2 > Classic Load Balancer > Active

Take an action when an AWS EC2 classic load balancer is not active based on the
AWS > EC2 > Classic Load Balancer > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Classic Load Balancer > Approved

Take an action when an AWS EC2 classic load balancer is not approved based on AWS > EC2 > Classic Load Balancer > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Classic Load Balancer > CMDB

Record and synchronize details for the AWS EC2 classic load balancer into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Classic Load Balancer > Configured

Maintain AWS > EC2 > Classic Load Balancer configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Classic Load Balancer > Discovery

Discover all AWS EC2 classic load balancer resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Classic Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Classic Load Balancer > Tags

Take an action when an AWS EC2 classic load balancer tags is not updated based on the AWS > EC2 > Classic Load Balancer > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Classic Load Balancer > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Classic Load Balancer > Usage

The Usage control determines whether the number of AWS EC2 classic load balancer resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Classic Load Balancer > Usage policy, and set the limit with the AWS > EC2 > Classic Load Balancer > Usage > Limit policy.

AWS > EC2 > Classic Load Balancer Listener > Active

Take an action when an AWS EC2 classic load balancer listener is not active based on the
AWS > EC2 > Classic Load Balancer Listener > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer Listener > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Classic Load Balancer Listener > Approved

Take an action when an AWS EC2 classic load balancer listener is not approved based on AWS > EC2 > Classic Load Balancer Listener > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Classic Load Balancer Listener > CMDB

Record and synchronize details for the AWS EC2 classic load balancer listener into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer Listener > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Classic Load Balancer Listener > Discovery

Discover all AWS EC2 classic load balancer listener resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Classic Load Balancer Listener > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Classic Load Balancer Listener > SSL Policy

Take an action when an AWS EC2 classic load balancer listener is not using an allowed SSL policy.

If the SSL policy specified in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default policy is not in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed policy, the control will move to invalid to prevent a conflict.

AWS > EC2 > Classic Load Balancer Listener > Usage

The Usage control determines whether the number of AWS EC2 classic load balancer listener resources exceeds the configured usage limit for this classicLoadBalancer.

You can configure the behavior of this control with the AWS > EC2 > Classic Load Balancer Listener > Usage policy, and set the limit with the AWS > EC2 > Classic Load Balancer Listener > Usage > Limit policy.

AWS > EC2 > Gateway Load Balancer > Active

Take an action when an AWS EC2 gateway load balancer is not active based on the
AWS > EC2 > Gateway Load Balancer > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Gateway Load Balancer > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Gateway Load Balancer > Approved

Take an action when an AWS EC2 gateway load balancer is not approved based on AWS > EC2 > Gateway Load Balancer > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Gateway Load Balancer > CMDB

Record and synchronize details for the AWS EC2 gateway load balancer into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Gateway Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Gateway Load Balancer > Discovery

Discover all AWS EC2 gateway load balancer resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Gateway Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Gateway Load Balancer > Tags

Take an action when an AWS EC2 gateway load balancer tags is not updated based on the AWS > EC2 > Gateway Load Balancer > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Gateway Load Balancer > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Gateway Load Balancer > Usage

The Usage control determines whether the number of AWS EC2 gateway load balancer resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Gateway Load Balancer > Usage policy, and set the limit with the AWS > EC2 > Gateway Load Balancer > Usage > Limit policy.

AWS > EC2 > Instance > Active

Take an action when an AWS EC2 instance is not active based on the
AWS > EC2 > Instance > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Instance > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Instance > Approved

Take an action when an AWS EC2 instance is not approved based on AWS > EC2 > Instance > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Instance > CMDB

Record and synchronize details for the AWS EC2 instance into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Instance > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Instance > Configured

Maintain AWS > EC2 > Instance configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Instance > Detailed Monitoring

Define the Detailed Monitoring settings required for AWS > EC2 > Instance > Detailed Monitoring.

If detailed monitoring is enabled then Amazon EC2 console displays monitoring graphs with a 1-minute period for the instance.

Note: Enabling detailed monitoring will incur additional charges.

AWS > EC2 > Instance > Discovery

Discover all AWS EC2 instance resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Instance > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Instance > Instance Profile

Determine whether the IAM instance profile is attached to instance.

AWS > EC2 > Instance > Metadata Service

Instance metadata is data about your instance that you can use to configure or manage the running instance.
Instance metadata is divided into categories, for example, host name, events, and security groups.

Instance metadata can be accessed from a running instance using one of the following methods:

Instance Metadata Service Version 1 (IMDSv1) – a request/response method

Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

By default, you can use either IMDSv1 or IMDSv2, or both. However, the instance metadata service can be specifically
configured to use IMDSv2 on each instance. When you specify that IMDSv2 must be used, IMDSv1 no longer works.

AWS > EC2 > Instance > Schedule

Set a schedule for starting and stopping an AWS EC2 instance.

Note If both "Schedule" and "Schedule Tag" are set to enforce and the
instance has a turbot_custom_schedule tag, then the schedule specified by
the tag will be in effect.

AWS > EC2 > Instance > Tags

Take an action when an AWS EC2 instance tags is not updated based on the AWS > EC2 > Instance > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Instance > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Instance > Termination Protection

Define the Termination Protection settings required for AWS > EC2 > Instance > Termination Protection.

It allows to prevent an instance from being terminated accidentally by someone using the AWS Management Console, the CLI, and the API.

AWS > EC2 > Instance > Usage

The Usage control determines whether the number of AWS EC2 instance resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Instance > Usage policy, and set the limit with the AWS > EC2 > Instance > Usage > Limit policy.

AWS > EC2 > Key Pair > Active

Take an action when an AWS EC2 key pair is not active based on the
AWS > EC2 > Key Pair > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Key Pair > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Key Pair > Approved

Take an action when an AWS EC2 key pair is not approved based on AWS > EC2 > Key Pair > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Key Pair > CMDB

Record and synchronize details for the AWS EC2 key pair into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Key Pair > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Key Pair > Discovery

Discover all AWS EC2 key pair resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Key Pair > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Key Pair > Tags

Take an action when an AWS EC2 key pair tags is not updated based on the AWS > EC2 > Key Pair > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Key Pair > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Key Pair > Usage

The Usage control determines whether the number of AWS EC2 key pair resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Key Pair > Usage policy, and set the limit with the AWS > EC2 > Key Pair > Usage > Limit policy.

AWS > EC2 > Launch Configuration > Active

Take an action when an AWS EC2 launch configuration is not active based on the
AWS > EC2 > Launch Configuration > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Configuration > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Launch Configuration > Approved

Take an action when an AWS EC2 launch configuration is not approved based on AWS > EC2 > Launch Configuration > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Launch Configuration > CMDB

Record and synchronize details for the AWS EC2 launch configuration into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Launch Configuration > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Launch Configuration > Discovery

Discover all AWS EC2 launch configuration resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Launch Configuration > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Launch Configuration > Usage

The Usage control determines whether the number of AWS EC2 launch configuration resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Launch Configuration > Usage policy, and set the limit with the AWS > EC2 > Launch Configuration > Usage > Limit policy.

AWS > EC2 > Launch Template > Active

Take an action when an AWS EC2 launch template is not active based on the
AWS > EC2 > Launch Template > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Launch Template > Approved

Take an action when an AWS EC2 launch template is not approved based on AWS > EC2 > Launch Template > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Launch Template > CMDB

Record and synchronize details for the AWS EC2 launch template into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Launch Template > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Launch Template > Discovery

Discover all AWS EC2 launch template resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Launch Template > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Launch Template > Tags

Take an action when an AWS EC2 launch template tags is not updated based on the AWS > EC2 > Launch Template > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Launch Template > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Launch Template > Usage

The Usage control determines whether the number of AWS EC2 launch template resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Launch Template > Usage policy, and set the limit with the AWS > EC2 > Launch Template > Usage > Limit policy.

AWS > EC2 > Launch Template Version > Active

Take an action when an AWS EC2 launch template version is not active based on the
AWS > EC2 > Launch Template Version > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template Version > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Launch Template Version > Approved

Take an action when an AWS EC2 launch template version is not approved based on AWS > EC2 > Launch Template Version > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Launch Template Version > CMDB

Record and synchronize details for the AWS EC2 launch template version into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Launch Template Version > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Launch Template Version > Discovery

Discover all AWS EC2 launch template version resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Launch Template Version > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Launch Template Version > Usage

The Usage control determines whether the number of AWS EC2 launch template version resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Launch Template Version > Usage policy, and set the limit with the AWS > EC2 > Launch Template Version > Usage > Limit policy.

AWS > EC2 > Listener Rule > Active

Take an action when an AWS EC2 listener rule is not active based on the
AWS > EC2 > Listener Rule > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Listener Rule > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Listener Rule > Approved

Take an action when an AWS EC2 listener rule is not approved based on AWS > EC2 > Listener Rule > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Listener Rule > CMDB

Record and synchronize details for the AWS EC2 listener rule into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Listener Rule > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Listener Rule > Configured

Maintain AWS > EC2 > Listener Rule configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Listener Rule > Discovery

Discover all AWS EC2 listener rule resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Listener Rule > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Listener Rule > Usage

The Usage control determines whether the number of AWS EC2 listener rule resources exceeds the configured usage limit for this applicationLoadBalancer.

You can configure the behavior of this control with the AWS > EC2 > Listener Rule > Usage policy, and set the limit with the AWS > EC2 > Listener Rule > Usage > Limit policy.

AWS > EC2 > Load Balancer Listener > Active

Take an action when an AWS EC2 load balancer listener is not active based on the
AWS > EC2 > Load Balancer Listener > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Load Balancer Listener > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Load Balancer Listener > Approved

Take an action when an AWS EC2 load balancer listener is not approved based on AWS > EC2 > Load Balancer Listener > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Load Balancer Listener > CMDB

Record and synchronize details for the AWS EC2 load balancer listener into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Load Balancer Listener > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Load Balancer Listener > Configured

Maintain AWS > EC2 > Load Balancer Listener configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Load Balancer Listener > Discovery

Discover all AWS EC2 load balancer listener resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Load Balancer Listener > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Load Balancer Listener > SSL Policy

Take an action when an AWS EC2 load balancer listener is not using an allowed SSL policy.

If the SSL policy specified in the AWS > EC2 > Load Balancer Listener > SSL Policy > Default policy is not in the AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed policy, the control will move to invalid to prevent a conflict.

AWS > EC2 > Load Balancer Listener > Usage

The Usage control determines whether the number of AWS EC2 load balancer listener resources exceeds the configured usage limit for this applicationLoadBalancer.

You can configure the behavior of this control with the AWS > EC2 > Load Balancer Listener > Usage policy, and set the limit with the AWS > EC2 > Load Balancer Listener > Usage > Limit policy.

AWS > EC2 > Network Interface > Active

Take an action when an AWS EC2 network interface is not active based on the
AWS > EC2 > Network Interface > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Interface > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Network Interface > Approved

Take an action when an AWS EC2 network interface is not approved based on AWS > EC2 > Network Interface > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Network Interface > CMDB

Record and synchronize details for the AWS EC2 network interface into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Network Interface > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Network Interface > Configured

Maintain AWS > EC2 > Network Interface configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Network Interface > Discovery

Discover all AWS EC2 network interface resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Network Interface > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Network Interface > Tags

Take an action when an AWS EC2 network interface tags is not updated based on the AWS > EC2 > Network Interface > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Network Interface > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Network Interface > Usage

The Usage control determines whether the number of AWS EC2 network interface resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Network Interface > Usage policy, and set the limit with the AWS > EC2 > Network Interface > Usage > Limit policy.

AWS > EC2 > Network Load Balancer > Access Logging

Define the Access Logging settings required for AWS > EC2 > Network Load Balancer.

AWS > EC2 > Network Load Balancer provides access logs that capture
detailed information about requests sent to your load
balancer. Each log contains information such as the time the
request was received, the client's IP address, latencies,
request paths, and server responses. You can use these
access logs to analyze traffic patterns and troubleshoot
issues.

AWS > EC2 > Network Load Balancer > Active

Take an action when an AWS EC2 network load balancer is not active based on the
AWS > EC2 > Network Load Balancer > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Load Balancer > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Network Load Balancer > Approved

Take an action when an AWS EC2 network load balancer is not approved based on AWS > EC2 > Network Load Balancer > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Network Load Balancer > CMDB

Record and synchronize details for the AWS EC2 network load balancer into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Network Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Network Load Balancer > Configured

Maintain AWS > EC2 > Network Load Balancer configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Network Load Balancer > Discovery

Discover all AWS EC2 network load balancer resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Network Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Network Load Balancer > Tags

Take an action when an AWS EC2 network load balancer tags is not updated based on the AWS > EC2 > Network Load Balancer > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Network Load Balancer > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Network Load Balancer > Usage

The Usage control determines whether the number of AWS EC2 network load balancer resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Network Load Balancer > Usage policy, and set the limit with the AWS > EC2 > Network Load Balancer > Usage > Limit policy.

AWS > EC2 > Snapshot > Active

Take an action when an AWS EC2 snapshot is not active based on the
AWS > EC2 > Snapshot > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Snapshot > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Snapshot > Approved

Take an action when an AWS EC2 snapshot is not approved based on AWS > EC2 > Snapshot > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Snapshot > CMDB

Record and synchronize details for the AWS EC2 snapshot into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Snapshot > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Snapshot > Configured

Maintain AWS > EC2 > Snapshot configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Snapshot > Discovery

Discover all AWS EC2 snapshot resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Snapshot > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Snapshot > Tags

Take an action when an AWS EC2 snapshot tags is not updated based on the AWS > EC2 > Snapshot > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Snapshot > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Snapshot > Trusted Access

Manage trusted access for AWS EC2 Snapshots.

AWS allows EC2 Snapshots to be shared with specific AWS accounts.
This control allows you to configure whether such sharing is allowed, and to which accounts.

If set to Enforce, access to non-trusted accounts will be removed.

AWS > EC2 > Snapshot > Usage

The Usage control determines whether the number of AWS EC2 snapshot resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Snapshot > Usage policy, and set the limit with the AWS > EC2 > Snapshot > Usage > Limit policy.

AWS > EC2 > Target Group > Active

Take an action when an AWS EC2 target group is not active based on the
AWS > EC2 > Target Group > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Target Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Target Group > Approved

Take an action when an AWS EC2 target group is not approved based on AWS > EC2 > Target Group > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Target Group > CMDB

Record and synchronize details for the AWS EC2 target group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Target Group > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Target Group > Configured

Maintain AWS > EC2 > Target Group configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Target Group > Discovery

Discover all AWS EC2 target group resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Target Group > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Target Group > Tags

Take an action when an AWS EC2 target group tags is not updated based on the AWS > EC2 > Target Group > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Target Group > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Target Group > Usage

The Usage control determines whether the number of AWS EC2 target group resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Target Group > Usage policy, and set the limit with the AWS > EC2 > Target Group > Usage > Limit policy.

AWS > EC2 > Volume > Active

Take an action when an AWS EC2 volume is not active based on the
AWS > EC2 > Volume > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Volume > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > EC2 > Volume > Approved

Take an action when an AWS EC2 volume is not approved based on AWS > EC2 > Volume > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > EC2 > Volume > CMDB

Record and synchronize details for the AWS EC2 volume into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Volume > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > EC2 > Volume > Configured

Maintain AWS > EC2 > Volume configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > EC2 > Volume > Discovery

Discover all AWS EC2 volume resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > EC2 > Volume > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > EC2 > Volume > Performance Configuration

Define the parameters required for AWS > EC2 > Volume.

Please refer Solid state derive (SSD) volumes for more details on EBS Volume Types and its parameters.

AWS > EC2 > Volume > Tags

Take an action when an AWS EC2 volume tags is not updated based on the AWS > EC2 > Volume > Tags > * policies.

If the resource is not updated with the tags defined in AWS > EC2 > Volume > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > EC2 > Volume > Usage

The Usage control determines whether the number of AWS EC2 volume resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > EC2 > Volume > Usage policy, and set the limit with the AWS > EC2 > Volume > Usage > Limit policy.