Policy types for @turbot/aws-ec2
- AWS > EC2 > AMI > Active
- AWS > EC2 > AMI > Active > Age
- AWS > EC2 > AMI > Active > Budget
- AWS > EC2 > AMI > Active > Last Modified
- AWS > EC2 > AMI > Approved
- AWS > EC2 > AMI > Approved > Budget
- AWS > EC2 > AMI > Approved > Custom
- AWS > EC2 > AMI > Approved > Regions
- AWS > EC2 > AMI > Approved > Usage
- AWS > EC2 > AMI > CMDB
- AWS > EC2 > AMI > Configured
- AWS > EC2 > AMI > Configured > Claim Precedence
- AWS > EC2 > AMI > Configured > Source
- AWS > EC2 > AMI > Regions
- AWS > EC2 > AMI > Tags
- AWS > EC2 > AMI > Tags > Template
- AWS > EC2 > AMI > Trusted Access
- AWS > EC2 > AMI > Trusted Access > Accounts
- AWS > EC2 > AMI > Usage
- AWS > EC2 > AMI > Usage > Limit
- AWS > EC2 > API Enabled
- AWS > EC2 > Account Attributes > CMDB
- AWS > EC2 > Account Attributes > EBS Encryption by Default
- AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
- AWS > EC2 > Account Attributes > Regions
- AWS > EC2 > Application Load Balancer > Access Logging
- AWS > EC2 > Application Load Balancer > Access Logging > Bucket
- AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Application Load Balancer > Active
- AWS > EC2 > Application Load Balancer > Active > Age
- AWS > EC2 > Application Load Balancer > Active > Budget
- AWS > EC2 > Application Load Balancer > Active > Last Modified
- AWS > EC2 > Application Load Balancer > Approved
- AWS > EC2 > Application Load Balancer > Approved > Budget
- AWS > EC2 > Application Load Balancer > Approved > Custom
- AWS > EC2 > Application Load Balancer > Approved > Regions
- AWS > EC2 > Application Load Balancer > Approved > Usage
- AWS > EC2 > Application Load Balancer > CMDB
- AWS > EC2 > Application Load Balancer > Configured
- AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Application Load Balancer > Configured > Source
- AWS > EC2 > Application Load Balancer > Regions
- AWS > EC2 > Application Load Balancer > Tags
- AWS > EC2 > Application Load Balancer > Tags > Template
- AWS > EC2 > Application Load Balancer > Usage
- AWS > EC2 > Application Load Balancer > Usage > Limit
- AWS > EC2 > Approved Regions [Default]
- AWS > EC2 > Auto Scaling Group > Active
- AWS > EC2 > Auto Scaling Group > Active > Age
- AWS > EC2 > Auto Scaling Group > Active > Last Modified
- AWS > EC2 > Auto Scaling Group > Approved
- AWS > EC2 > Auto Scaling Group > Approved > Custom
- AWS > EC2 > Auto Scaling Group > Approved > Regions
- AWS > EC2 > Auto Scaling Group > Approved > Usage
- AWS > EC2 > Auto Scaling Group > CMDB
- AWS > EC2 > Auto Scaling Group > Regions
- AWS > EC2 > Auto Scaling Group > Tags
- AWS > EC2 > Auto Scaling Group > Tags > Template
- AWS > EC2 > Auto Scaling Group > Usage
- AWS > EC2 > Auto Scaling Group > Usage > Limit
- AWS > EC2 > Classic Load Balancer > Access Logging
- AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
- AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Classic Load Balancer > Active
- AWS > EC2 > Classic Load Balancer > Active > Age
- AWS > EC2 > Classic Load Balancer > Active > Budget
- AWS > EC2 > Classic Load Balancer > Active > Last Modified
- AWS > EC2 > Classic Load Balancer > Approved
- AWS > EC2 > Classic Load Balancer > Approved > Budget
- AWS > EC2 > Classic Load Balancer > Approved > Custom
- AWS > EC2 > Classic Load Balancer > Approved > Regions
- AWS > EC2 > Classic Load Balancer > Approved > Usage
- AWS > EC2 > Classic Load Balancer > CMDB
- AWS > EC2 > Classic Load Balancer > Configured
- AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Classic Load Balancer > Configured > Source
- AWS > EC2 > Classic Load Balancer > Regions
- AWS > EC2 > Classic Load Balancer > Tags
- AWS > EC2 > Classic Load Balancer > Tags > Template
- AWS > EC2 > Classic Load Balancer > Usage
- AWS > EC2 > Classic Load Balancer > Usage > Limit
- AWS > EC2 > Classic Load Balancer Listener > Active
- AWS > EC2 > Classic Load Balancer Listener > Active > Age
- AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Classic Load Balancer Listener > Approved
- AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
- AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
- AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
- AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
- AWS > EC2 > Classic Load Balancer Listener > CMDB
- AWS > EC2 > Classic Load Balancer Listener > Regions
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
- AWS > EC2 > Classic Load Balancer Listener > Usage
- AWS > EC2 > Classic Load Balancer Listener > Usage > Limit
- AWS > EC2 > Enabled
- AWS > EC2 > Gateway Load Balancer > Active
- AWS > EC2 > Gateway Load Balancer > Active > Age
- AWS > EC2 > Gateway Load Balancer > Active > Budget
- AWS > EC2 > Gateway Load Balancer > Active > Last Modified
- AWS > EC2 > Gateway Load Balancer > Approved
- AWS > EC2 > Gateway Load Balancer > Approved > Budget
- AWS > EC2 > Gateway Load Balancer > Approved > Custom
- AWS > EC2 > Gateway Load Balancer > Approved > Regions
- AWS > EC2 > Gateway Load Balancer > Approved > Usage
- AWS > EC2 > Gateway Load Balancer > CMDB
- AWS > EC2 > Gateway Load Balancer > Regions
- AWS > EC2 > Gateway Load Balancer > Tags
- AWS > EC2 > Gateway Load Balancer > Tags > Template
- AWS > EC2 > Gateway Load Balancer > Usage
- AWS > EC2 > Gateway Load Balancer > Usage > Limit
- AWS > EC2 > Instance > Active
- AWS > EC2 > Instance > Active > Age
- AWS > EC2 > Instance > Active > Budget
- AWS > EC2 > Instance > Active > Last Modified
- AWS > EC2 > Instance > Approved
- AWS > EC2 > Instance > Approved > Budget
- AWS > EC2 > Instance > Approved > Custom
- AWS > EC2 > Instance > Approved > Image
- AWS > EC2 > Instance > Approved > Image > AMI IDs
- AWS > EC2 > Instance > Approved > Image > Publishers
- AWS > EC2 > Instance > Approved > Instance Types
- AWS > EC2 > Instance > Approved > Public IP
- AWS > EC2 > Instance > Approved > Regions
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > Customer Managed Key
- AWS > EC2 > Instance > Approved > Usage
- AWS > EC2 > Instance > CMDB
- AWS > EC2 > Instance > CMDB > Attributes
- AWS > EC2 > Instance > Configured
- AWS > EC2 > Instance > Configured > Claim Precedence
- AWS > EC2 > Instance > Configured > Source
- AWS > EC2 > Instance > Default Platform
- AWS > EC2 > Instance > Detailed Monitoring
- AWS > EC2 > Instance > Instance Profile
- AWS > EC2 > Instance > Instance Profile > Name
- AWS > EC2 > Instance > Metadata Service
- AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit
- AWS > EC2 > Instance > Regions
- AWS > EC2 > Instance > Schedule
- AWS > EC2 > Instance > Schedule Tag
- AWS > EC2 > Instance > Schedule Tag > Name
- AWS > EC2 > Instance > Tags
- AWS > EC2 > Instance > Tags > Inventory Collection
- AWS > EC2 > Instance > Tags > Template
- AWS > EC2 > Instance > Termination Protection
- AWS > EC2 > Instance > Usage
- AWS > EC2 > Instance > Usage > Limit
- AWS > EC2 > Key Pair > Active
- AWS > EC2 > Key Pair > Active > Age
- AWS > EC2 > Key Pair > Active > Budget
- AWS > EC2 > Key Pair > Active > Last Modified
- AWS > EC2 > Key Pair > Approved
- AWS > EC2 > Key Pair > Approved > Budget
- AWS > EC2 > Key Pair > Approved > Custom
- AWS > EC2 > Key Pair > Approved > Regions
- AWS > EC2 > Key Pair > Approved > Usage
- AWS > EC2 > Key Pair > CMDB
- AWS > EC2 > Key Pair > Regions
- AWS > EC2 > Key Pair > Tags
- AWS > EC2 > Key Pair > Tags > Template
- AWS > EC2 > Key Pair > Usage
- AWS > EC2 > Key Pair > Usage > Limit
- AWS > EC2 > Launch Configuration > Active
- AWS > EC2 > Launch Configuration > Active > Age
- AWS > EC2 > Launch Configuration > Active > Last Modified
- AWS > EC2 > Launch Configuration > Approved
- AWS > EC2 > Launch Configuration > Approved > Custom
- AWS > EC2 > Launch Configuration > Approved > Regions
- AWS > EC2 > Launch Configuration > Approved > Usage
- AWS > EC2 > Launch Configuration > CMDB
- AWS > EC2 > Launch Configuration > Regions
- AWS > EC2 > Launch Configuration > Usage
- AWS > EC2 > Launch Configuration > Usage > Limit
- AWS > EC2 > Launch Template > Active
- AWS > EC2 > Launch Template > Active > Age
- AWS > EC2 > Launch Template > Active > Last Modified
- AWS > EC2 > Launch Template > Approved
- AWS > EC2 > Launch Template > Approved > Custom
- AWS > EC2 > Launch Template > Approved > Regions
- AWS > EC2 > Launch Template > Approved > Usage
- AWS > EC2 > Launch Template > CMDB
- AWS > EC2 > Launch Template > Regions
- AWS > EC2 > Launch Template > Tags
- AWS > EC2 > Launch Template > Tags > Template
- AWS > EC2 > Launch Template > Usage
- AWS > EC2 > Launch Template > Usage > Limit
- AWS > EC2 > Launch Template Version > Active
- AWS > EC2 > Launch Template Version > Active > Age
- AWS > EC2 > Launch Template Version > Active > Last Modified
- AWS > EC2 > Launch Template Version > Approved
- AWS > EC2 > Launch Template Version > Approved > Custom
- AWS > EC2 > Launch Template Version > Approved > Regions
- AWS > EC2 > Launch Template Version > Approved > Usage
- AWS > EC2 > Launch Template Version > CMDB
- AWS > EC2 > Launch Template Version > Regions
- AWS > EC2 > Launch Template Version > Usage
- AWS > EC2 > Launch Template Version > Usage > Limit
- AWS > EC2 > Listener Rule > Active
- AWS > EC2 > Listener Rule > Active > Age
- AWS > EC2 > Listener Rule > Active > Budget
- AWS > EC2 > Listener Rule > Active > Last Modified
- AWS > EC2 > Listener Rule > Approved
- AWS > EC2 > Listener Rule > Approved > Budget
- AWS > EC2 > Listener Rule > Approved > Custom
- AWS > EC2 > Listener Rule > Approved > Regions
- AWS > EC2 > Listener Rule > Approved > Usage
- AWS > EC2 > Listener Rule > CMDB
- AWS > EC2 > Listener Rule > Configured
- AWS > EC2 > Listener Rule > Configured > Claim Precedence
- AWS > EC2 > Listener Rule > Configured > Source
- AWS > EC2 > Listener Rule > Regions
- AWS > EC2 > Listener Rule > Usage
- AWS > EC2 > Listener Rule > Usage > Limit
- AWS > EC2 > Load Balancer Listener > Active
- AWS > EC2 > Load Balancer Listener > Active > Age
- AWS > EC2 > Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Load Balancer Listener > Approved
- AWS > EC2 > Load Balancer Listener > Approved > Custom
- AWS > EC2 > Load Balancer Listener > Approved > Ports
- AWS > EC2 > Load Balancer Listener > Approved > Protocols
- AWS > EC2 > Load Balancer Listener > Approved > Regions
- AWS > EC2 > Load Balancer Listener > Approved > Usage
- AWS > EC2 > Load Balancer Listener > CMDB
- AWS > EC2 > Load Balancer Listener > Configured
- AWS > EC2 > Load Balancer Listener > Configured > Claim Precedence
- AWS > EC2 > Load Balancer Listener > Configured > Source
- AWS > EC2 > Load Balancer Listener > Regions
- AWS > EC2 > Load Balancer Listener > SSL Policy
- AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Load Balancer Listener > SSL Policy > Default
- AWS > EC2 > Load Balancer Listener > Usage
- AWS > EC2 > Load Balancer Listener > Usage > Limit
- AWS > EC2 > Network Interface > Active
- AWS > EC2 > Network Interface > Active > Age
- AWS > EC2 > Network Interface > Active > Attached
- AWS > EC2 > Network Interface > Active > Last Modified
- AWS > EC2 > Network Interface > Approved
- AWS > EC2 > Network Interface > Approved > Custom
- AWS > EC2 > Network Interface > Approved > Regions
- AWS > EC2 > Network Interface > Approved > Usage
- AWS > EC2 > Network Interface > CMDB
- AWS > EC2 > Network Interface > Configured
- AWS > EC2 > Network Interface > Configured > Claim Precedence
- AWS > EC2 > Network Interface > Configured > Source
- AWS > EC2 > Network Interface > Regions
- AWS > EC2 > Network Interface > Tags
- AWS > EC2 > Network Interface > Tags > Template
- AWS > EC2 > Network Interface > Usage
- AWS > EC2 > Network Interface > Usage > Limit
- AWS > EC2 > Network Load Balancer > Access Logging
- AWS > EC2 > Network Load Balancer > Access Logging > Bucket
- AWS > EC2 > Network Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Network Load Balancer > Active
- AWS > EC2 > Network Load Balancer > Active > Age
- AWS > EC2 > Network Load Balancer > Active > Budget
- AWS > EC2 > Network Load Balancer > Active > Last Modified
- AWS > EC2 > Network Load Balancer > Approved
- AWS > EC2 > Network Load Balancer > Approved > Budget
- AWS > EC2 > Network Load Balancer > Approved > Custom
- AWS > EC2 > Network Load Balancer > Approved > Regions
- AWS > EC2 > Network Load Balancer > Approved > Usage
- AWS > EC2 > Network Load Balancer > CMDB
- AWS > EC2 > Network Load Balancer > Configured
- AWS > EC2 > Network Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Network Load Balancer > Configured > Source
- AWS > EC2 > Network Load Balancer > Regions
- AWS > EC2 > Network Load Balancer > Tags
- AWS > EC2 > Network Load Balancer > Tags > Template
- AWS > EC2 > Network Load Balancer > Usage
- AWS > EC2 > Network Load Balancer > Usage > Limit
- AWS > EC2 > Permissions
- AWS > EC2 > Permissions > Levels
- AWS > EC2 > Permissions > Levels > Ami Publishing Administration
- AWS > EC2 > Permissions > Levels > Auto Scaling Administration
- AWS > EC2 > Permissions > Levels > Local Amis Administration
- AWS > EC2 > Permissions > Levels > Marketplace Subscription Administration
- AWS > EC2 > Permissions > Levels > Modifiers
- AWS > EC2 > Permissions > Lockdown
- AWS > EC2 > Permissions > Lockdown > API Boundary
- AWS > EC2 > Permissions > Lockdown > Instance
- AWS > EC2 > Permissions > Lockdown > Instance > Image
- AWS > EC2 > Permissions > Lockdown > Instance > Image > AMI IDs
- AWS > EC2 > Permissions > Lockdown > Instance > Image > Publishers
- AWS > EC2 > Permissions > Lockdown > Instance Types
- AWS > EC2 > Permissions > Lockdown > Volume Types
- AWS > EC2 > Regions
- AWS > EC2 > Snapshot > Active
- AWS > EC2 > Snapshot > Active > Age
- AWS > EC2 > Snapshot > Active > Budget
- AWS > EC2 > Snapshot > Active > Last Modified
- AWS > EC2 > Snapshot > Approved
- AWS > EC2 > Snapshot > Approved > Budget
- AWS > EC2 > Snapshot > Approved > Custom
- AWS > EC2 > Snapshot > Approved > Encryption at Rest
- AWS > EC2 > Snapshot > Approved > Encryption at Rest > Customer Managed Key
- AWS > EC2 > Snapshot > Approved > Regions
- AWS > EC2 > Snapshot > Approved > Usage
- AWS > EC2 > Snapshot > CMDB
- AWS > EC2 > Snapshot > Configured
- AWS > EC2 > Snapshot > Configured > Claim Precedence
- AWS > EC2 > Snapshot > Configured > Source
- AWS > EC2 > Snapshot > Regions
- AWS > EC2 > Snapshot > Tags
- AWS > EC2 > Snapshot > Tags > Template
- AWS > EC2 > Snapshot > Trusted Access
- AWS > EC2 > Snapshot > Trusted Access > Accounts
- AWS > EC2 > Snapshot > Usage
- AWS > EC2 > Snapshot > Usage > Limit
- AWS > EC2 > Tags Template [Default]
- AWS > EC2 > Target Group > Active
- AWS > EC2 > Target Group > Active > Age
- AWS > EC2 > Target Group > Active > Last Modified
- AWS > EC2 > Target Group > Approved
- AWS > EC2 > Target Group > Approved > Custom
- AWS > EC2 > Target Group > Approved > Regions
- AWS > EC2 > Target Group > Approved > Usage
- AWS > EC2 > Target Group > CMDB
- AWS > EC2 > Target Group > Configured
- AWS > EC2 > Target Group > Configured > Claim Precedence
- AWS > EC2 > Target Group > Configured > Source
- AWS > EC2 > Target Group > Regions
- AWS > EC2 > Target Group > Tags
- AWS > EC2 > Target Group > Tags > Template
- AWS > EC2 > Target Group > Usage
- AWS > EC2 > Target Group > Usage > Limit
- AWS > EC2 > Trusted Accounts [Default]
- AWS > EC2 > Volume > Active
- AWS > EC2 > Volume > Active > Age
- AWS > EC2 > Volume > Active > Attached
- AWS > EC2 > Volume > Active > Budget
- AWS > EC2 > Volume > Active > Last Modified
- AWS > EC2 > Volume > Approved
- AWS > EC2 > Volume > Approved > Budget
- AWS > EC2 > Volume > Approved > Custom
- AWS > EC2 > Volume > Approved > Encryption at Rest
- AWS > EC2 > Volume > Approved > Encryption at Rest > Customer Managed Key
- AWS > EC2 > Volume > Approved > Regions
- AWS > EC2 > Volume > Approved > Usage
- AWS > EC2 > Volume > Approved > Volume Types
- AWS > EC2 > Volume > CMDB
- AWS > EC2 > Volume > CMDB > Attributes
- AWS > EC2 > Volume > Configured
- AWS > EC2 > Volume > Configured > Claim Precedence
- AWS > EC2 > Volume > Configured > Source
- AWS > EC2 > Volume > Regions
- AWS > EC2 > Volume > Tags
- AWS > EC2 > Volume > Tags > Template
- AWS > EC2 > Volume > Usage
- AWS > EC2 > Volume > Usage > Limit
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-ec2
AWS > EC2 > AMI > Active
Determine the action to take when an AWS EC2 ami, based on the AWS > EC2 > AMI > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > AMI > Active > Age
The age after which the AWS EC2 ami\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > AMI > Active > Budget
The impact of the budget state on the active control. This policy allows you to force\namis to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State
\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > AMI > Active > Last Modified
The number of days since the AWS EC2 ami\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > AMI > Approved
Determine the action to take when an AWS EC2 ami is not approved based on AWS > EC2 > AMI > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > AMI > Approved > Budget
The policy allows you to set amis to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.\n\nSee Approved for more information.\n
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > AMI > Approved > Custom
Determine whether the AWS EC2 ami is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is not approved, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > AMI > Approved > Regions
A list of AWS regions in which AWS EC2 amis are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > AMI > Approved > Usage
Determine whether the AWS EC2 ami is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is not approved, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > AMI > CMDB
Configure whether to record and synchronize details for the AWS EC2 ami into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > AMI > Regions
policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > AMI > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > AMI > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > AMI > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > AMI > Regions
A list of AWS regions in which AWS EC2 amis are supported for use.\n\nAny amis in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > AMI > Tags
Determine the action to take when an AWS EC2 ami tags are not updated based on the AWS > EC2 > AMI > Tags > *
policies.\n\nThe control ensure AWS EC2 ami tags include tags defined in AWS > EC2 > AMI > Tags > Template
.\n\nTags not defined in AMI Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > AMI > Tags > Template
The template is used to generate the keys and values for AWS EC2 ami.\n\nTags not defined in AMI Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > AMI > Trusted Access
Manage trusted access for AWS EC2 AMIs.\n\nAWS allows EC2 AMIs to be shared with specific AWS accounts.\nThis policy allows you to configure whether such sharing is allowed, and to which accounts.\n\nIf set to Enforce
, access to non-trusted accounts will be removed.\n
[ "Skip", "Check: Trusted Access > Accounts", "Enforce: Trusted Access > Accounts"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access > Accounts", "Enforce: Trusted Access > Accounts" ], "example": [ "Check: Trusted Access > Accounts" ], "default": "Skip"}
AWS > EC2 > AMI > Trusted Access > Accounts
A list of AWS account IDs that are allowed to have access
"{\n accounts: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2TrustedAccounts\")\n}\n"
"{% if $.accounts | length == 0 %}[]{% endif %}{% for item in $.accounts %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^[0-9]{12}$|^\\*$|^all$)" }}
AWS > EC2 > AMI > Usage
Configure the number of AWS EC2 amis that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > AMI > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > AMI > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 1000}
AWS > EC2 > API Enabled
Configure whether the AWS EC2 API is enabled.\n\nNote: Disabling the service disables the API for ALL users\nand roles, and Turbot will have no access to the API.\n
[ "Enabled", "Disabled", "Enabled if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > EC2 > Enabled" ], "default": "Enabled"}
AWS > EC2 > Account Attributes > CMDB
Configure whether to record and synchronize details for the AWS EC2 account attributes into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Account Attributes > Regions
policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Account Attributes > EBS Encryption by Default
Define the EBS Encryption by Default settings required for AWS > EC2 > Account Attributes
.\n\nEncryption at Rest refers specifically to the encryption of data when written\nto an underlying storage system. This control determines whether the resource\nis encrypted at rest, and sets encryption to your desired level.\n\nThe EBS Encryption by Default control compares the encryption settings against the encryption policies for the resource\n(AWS > EC2 > Account Attributes > EBS Encryption by Default > *
),\nraises an alarm, and takes the defined enforcement action.\n
[ "Skip", "Check: None", "Check: None or higher", "Check: AWS managed key", "Check: AWS managed key or higher", "Check: Customer managed key", "Check: Encryption at Rest > Customer Managed Key", "Enforce: None", "Enforce: AWS managed key", "Enforce: AWS managed key or higher", "Enforce: Customer managed key", "Enforce: Encryption at Rest > Customer Managed Key"]
{ "type": "string", "enum": [ "Skip", "Check: None", "Check: None or higher", "Check: AWS managed key", "Check: AWS managed key or higher", "Check: Customer managed key", "Check: Encryption at Rest > Customer Managed Key", "Enforce: None", "Enforce: AWS managed key", "Enforce: AWS managed key or higher", "Enforce: Customer managed key", "Enforce: Encryption at Rest > Customer Managed Key" ], "example": [ "Check: None or higher" ], "default": "Skip"}
AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
Define the KMS key ID for ebs encryption by default.\n\nEncryption at Rest refers specifically to the encryption of data when written\nto an underlying storage system. This control determines whether the resource\nis encrypted at rest, and sets encryption to your desired level.\n\nThe EBS Encryption by Default\ncontrol compares the encryption settings against the encryption policies for the resource\n(AWS > EC2 > Account Attributes > EBS Encryption by Default > *
),\nraises an alarm, and takes the defined enforcement action\n\nPlease make sure the key defined in the template has required permissions.\n\n\nexample:\n alias/aws/ebs\n ddc06e04-ce5f-4995-c758-c2b6c510e8fd\n arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd\n arn:aws:kms:us-east-1:123456789012:alias/aws/ebs\n
\n
"{\n defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"
"{{ $.defaultKey }}"
{ "anyOf": [ { "type": "string", "pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$" }, { "type": "string", "pattern": "^[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:alias/[a-zA-Z0-9:/_-]{1,249}$" } ], "tests": [ { "description": "valid - if keyArn", "input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasName", "input": "alias/aws/ebs" }, { "description": "valid - if keyId", "input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasArn", "input": "arn:aws:kms:us-east-1:039305405804:alias/aws/ebs" } ]}
AWS > EC2 > Account Attributes > Regions
A list of AWS regions in which AWS EC2 account attributes are supported for use.\n\nAny account attributes in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Application Load Balancer > Access Logging
Define the Access Logging settings required for AWS > EC2 > Application Load Balancer
.\n\nAWS > EC2 > Application Load Balancer
provides access logs that capture\ndetailed information about requests sent to your load\nbalancer. Each log contains information such as the time the\nrequest was received, the client's IP address, latencies,\nrequest paths, and server responses. You can use these\naccess logs to analyze traffic patterns and troubleshoot\nissues.\n
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Access Logging > Bucket
The name of an S3 Bucket to which the Bucket\naccess logs will be delivered.\n\nThe S3 Bucket must already exist and the S3 service must be allowed write access.\nThe bucket can reside in any account but must be in the same region as the Load Balancer.\n\nexample:\n\n testbucket\n turbotbucket\n
\n
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
"{% if $.turbotLoggingBucket %}"{{ $.turbotLoggingBucket }}"{% else %}""{% endif %}"
{ "type": "string", "pattern": "^[a-zA-Z0-9._-]{1,255}$"}
AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
An optional S3 key prefix to which the AWS > EC2 > Application Load Balancer
access logs will be written.\n\nThe file names of the access logs use the following format:\nbucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz
\n
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}
AWS > EC2 > Application Load Balancer > Active
Determine the action to take when an AWS EC2 application load balancer, based on the AWS > EC2 > Application Load Balancer > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Active > Age
The age after which the AWS EC2 application load balancer\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Active > Budget
The impact of the budget state on the active control. This policy allows you to force\napplicationLoadBalancers to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State
\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Active > Last Modified
The number of days since the AWS EC2 application load balancer\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved
Determine the action to take when an AWS EC2 application load balancer is not approved based on AWS > EC2 > Application Load Balancer > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved > Budget
The policy allows you to set application load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.\n\nSee Approved for more information.\n
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved > Custom
Determine whether the AWS EC2 application load balancer is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved > Regions
A list of AWS regions in which AWS EC2 application load balancers are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Application Load Balancer > Approved > Usage
Determine whether the AWS EC2 application load balancer is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Application Load Balancer > CMDB
Configure whether to record and synchronize details for the AWS EC2 application load balancer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Application Load Balancer > Regions
policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Application Load Balancer > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Application Load Balancer > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Application Load Balancer > Regions
A list of AWS regions in which AWS EC2 application load balancers are supported for use.\n\nAny application load balancers in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Application Load Balancer > Tags
Determine the action to take when an AWS EC2 application load balancer tags are not updated based on the AWS > EC2 > Application Load Balancer > Tags > *
policies.\n\nThe control ensure AWS EC2 application load balancer tags include tags defined in AWS > EC2 > Application Load Balancer > Tags > Template
.\n\nTags not defined in Application Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Tags > Template
The template is used to generate the keys and values for AWS EC2 application load balancer.\n\nTags not defined in Application Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Application Load Balancer > Usage
Configure the number of AWS EC2 application load balancers that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Application Load Balancer > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 50}
AWS > EC2 > Approved Regions [Default]
A list of AWS regions in which AWS EC2 resources are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n\nThis policy is the default value for all AWS EC2 resources' Approved > Regions policies.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Auto Scaling Group > Active
Determine the action to take when an AWS EC2 auto scaling group, based on the AWS > EC2 > Auto Scaling Group > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Auto Scaling Group > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Active > Age
The age after which the AWS EC2 auto scaling group\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Auto Scaling Group > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Active > Last Modified
The number of days since the AWS EC2 auto scaling group\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Auto Scaling Group > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Approved
Determine the action to take when an AWS EC2 auto scaling group is not approved based on AWS > EC2 > Auto Scaling Group > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Approved > Custom
Determine whether the AWS EC2 auto scaling group is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is not approved, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Approved > Regions
A list of AWS regions in which AWS EC2 auto scaling groups are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved
policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Auto Scaling Group > Approved > Usage
Determine whether the AWS EC2 auto scaling group is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is not approved, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Auto Scaling Group > CMDB
Configure whether to record and synchronize details for the AWS EC2 auto scaling group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Auto Scaling Group > Regions
policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Auto Scaling Group > Regions
A list of AWS regions in which AWS EC2 auto scaling groups are supported for use.\n\nAny auto scaling groups in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Auto Scaling Group > Tags
Determine the action to take when an AWS EC2 auto scaling group tags are not updated based on the AWS > EC2 > Auto Scaling Group > Tags > *
policies.\n\nThe control ensure AWS EC2 auto scaling group tags include tags defined in AWS > EC2 > Auto Scaling Group > Tags > Template
.\n\nTags not defined in Auto Scaling Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Tags > Template
The template is used to generate the keys and values for AWS EC2 auto scaling group.\n\nTags not defined in Auto Scaling Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Auto Scaling Group > Usage
Configure the number of AWS EC2 auto scaling groups that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Auto Scaling Group > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 200}
AWS > EC2 > Classic Load Balancer > Access Logging
Define the Access Logging settings required for AWS > EC2 > Classic Load Balancer
.\n\nAWS > EC2 > Classic Load Balancer
provides access logs that capture\ndetailed information about requests sent to your load\nbalancer. Each log contains information such as the time the\nrequest was received, the client's IP address, latencies,\nrequest paths, and server responses. You can use these\naccess logs to analyze traffic patterns and troubleshoot\nissues.\n
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
The name of an S3 Bucket to which the Bucket\naccess logs will be delivered.\n\nThe S3 Bucket must already exist and the S3 service must be allowed write access.\nThe bucket should reside in same account and same region as of the Bucket.\n\nexample:\n\n testbucket\n turbotbucket\n
\n
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
"{% if $.turbotLoggingBucket %}"{{ $.turbotLoggingBucket }}"{% else %}""{% endif %}"
{ "type": "string"}
AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
An optional S3 key prefix to which the AWS > EC2 > Classic Load Balancer
access logs will be written.\n\nThe file names of the access logs use the following format:\nbucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz
\n
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}
AWS > EC2 > Classic Load Balancer > Active
Determine the action to take when an AWS EC2 classic load balancer, based on the AWS > EC2 > Classic Load Balancer > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Active > Age
The age after which the AWS EC2 classic load balancer\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Active > Budget
The impact of the budget state on the active control. This policy allows you to force\nclassicLoadBalancers to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State
\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Active > Last Modified
The number of days since the AWS EC2 classic load balancer\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved
Determine the action to take when an AWS EC2 classic load balancer is not approved based on AWS > EC2 > Classic Load Balancer > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved > Budget
The policy allows you to set classic load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.\n\nSee Approved for more information.\n
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved > Custom
Determine whether the AWS EC2 classic load balancer is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved > Regions
A list of AWS regions in which AWS EC2 classic load balancers are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer > Approved > Usage
Determine whether the AWS EC2 classic load balancer is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Classic Load Balancer > CMDB
Configure whether to record and synchronize details for the AWS EC2 classic load balancer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer > Regions
policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Classic Load Balancer > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Classic Load Balancer > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Classic Load Balancer > Regions
A list of AWS regions in which AWS EC2 classic load balancers are supported for use.\n\nAny classic load balancers in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer > Tags
Determine the action to take when an AWS EC2 classic load balancer tags are not updated based on the AWS > EC2 > Classic Load Balancer > Tags > *
policies.\n\nThe control ensure AWS EC2 classic load balancer tags include tags defined in AWS > EC2 > Classic Load Balancer > Tags > Template
.\n\nTags not defined in Classic Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Tags > Template
The template is used to generate the keys and values for AWS EC2 classic load balancer.\n\nTags not defined in Classic Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Classic Load Balancer > Usage
Configure the number of AWS EC2 classic load balancers that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Classic Load Balancer > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 20}
AWS > EC2 > Classic Load Balancer Listener > Active
Determine the action to take when an AWS EC2 classic load balancer listener, based on the AWS > EC2 > Classic Load Balancer Listener > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer Listener > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Active > Age
The age after which the AWS EC2 classic load balancer listener\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer Listener > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
The number of days since the AWS EC2 classic load balancer listener\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer Listener > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Approved
Determine the action to take when an AWS EC2 classic load balancer listener is not approved based on AWS > EC2 > Classic Load Balancer Listener > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
Determine whether the AWS EC2 classic load balancer listener is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
A list of instance protocol that the AWS EC2 classic load balancer listener is approved to use.\n\nThe expected format is an array of instance protocol. You may use the *
and ?
wildcard characters (and more).\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.\n\nSee Approved for more information.\n
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^(HTTP|HTTPS|TCP|SSL)$" }}
AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
Determine whether the AWS EC2 Classic Load Balancer Listener is allowed to have a port assigned.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved
policy.\n\nSee Approved for more information.\nExample\n\n - 443\n - 1001-65535\n - 80\n - 400-999\n
\n
{ "type": "array", "items": { "type": "string" }, "default": [ "1-65535" ]}
AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
Determine whether the AWS EC2 Classic Load Balancer Listener is allowed to have a protocol assigned.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.\n\nSee Approved for more information.\n
{ "type": "array", "items": { "type": "string", "enum": [ "HTTP", "HTTPS", "TCP", "SSL" ] }, "default": [ "HTTP", "HTTPS", "TCP", "SSL" ]}
AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
A list of AWS regions in which AWS EC2 classic load balancer listeners are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
Determine whether the AWS EC2 classic load balancer listener is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Classic Load Balancer Listener > CMDB
Configure whether to record and synchronize details for the AWS EC2 classic load balancer listener into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer Listener > Regions
policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Classic Load Balancer Listener > Regions
A list of AWS regions in which AWS EC2 classic load balancer listeners are supported for use.\n\nAny classic load balancer listeners in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer Listener > SSL Policy
Determine the action to take when an AWS EC2 classic load balancer listener is not using an allowed SSL policy.\n\nIf a classic load balancer listener is not using an allowed SSL policy and this policy is set to Enforce: Set to SSL Policy > Default
, the classic load balancer listener will be updated to use the SSL policy selected in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
policy.\n
[ "Skip", "Check: Set in SSL Policy > Allowed", "Enforce: Set to SSL Policy > Default"]
{ "type": "string", "enum": [ "Skip", "Check: Set in SSL Policy > Allowed", "Enforce: Set to SSL Policy > Default" ], "example": [ "Check: Set in SSL Policy > Allowed" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
A list of AWS SSL policies that the AWS EC2 classic load balancer listener is allowed to use.\n\nFor a complete list of SSL policies and which ciphers and protocols they support, please see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html.\n
{ "type": "array", "items": { "type": "string", "enum": [ "Custom", "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01" ] }, "default": [ "Custom", "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01" ], "example": [ "ELBSecurityPolicy-2016-08" ]}
AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
Define the default AWS SSL policy the AWS EC2 classic load balancer listener should use if it's not currently using an allowed SSL policy.\n\nThe SSL policy selected in this policy should also be allowed in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
policy, else the control will move into an invalid
state while trying to enforce this policy.\n
[ "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01"]
{ "type": "string", "enum": [ "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01" ], "default": "ELBSecurityPolicy-2016-08", "example": [ "ELBSecurityPolicy-2016-08" ]}
AWS > EC2 > Classic Load Balancer Listener > Usage
Configure the number of AWS EC2 classic load balancer listeners that can be used for this classicLoadBalancer and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Classic Load Balancer Listener > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}