Policy types for @turbot/aws-ec2

AWS > EC2 > AMI > Active

Determine the action to take when an AWS EC2 ami, based on the AWS > EC2 > AMI > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > EC2 > AMI > Active > Age

The age after which the AWS EC2 ami\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > EC2 > AMI > Active > Budget

The impact of the budget state on the active control. This policy allows you to force\namis to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > EC2 > AMI > Active > Last Modified

The number of days since the AWS EC2 ami\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > AMI > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > EC2 > AMI > Approved

Determine the action to take when an AWS EC2 ami is not approved based on AWS > EC2 > AMI > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > EC2 > AMI > Approved > Budget

The policy allows you to set amis to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > AMI > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > EC2 > AMI > Approved > Custom

Determine whether the AWS EC2 ami is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is not approved, it will be subject to the action specified in the AWS > EC2 > AMI > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > EC2 > AMI > Approved > Regions

A list of AWS regions in which AWS EC2 amis are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > AMI > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > AMI > Approved > Usage

Determine whether the AWS EC2 ami is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 ami is not approved, it will be subject to the action specified in the AWS > EC2 > AMI > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > EC2 > Enabled"
}

AWS > EC2 > AMI > CMDB

Configure whether to record and synchronize details for the AWS EC2 ami into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > AMI > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > EC2 > AMI > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > EC2 > AMI > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > EC2 > AMI > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-ec2#/policy/types/amiConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > EC2 > AMI > Regions

A list of AWS regions in which AWS EC2 amis are supported for use.\n\nAny amis in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > AMI > Tags

Determine the action to take when an AWS EC2 ami tags are not updated based on the AWS > EC2 > AMI > Tags > * policies.\n\nThe control ensure AWS EC2 ami tags include tags defined in AWS > EC2 > AMI > Tags > Template.\n\nTags not defined in AMI Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > EC2 > AMI > Tags > Template

The template is used to generate the keys and values for AWS EC2 ami.\n\nTags not defined in AMI Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > EC2 > AMI > Trusted Access

Manage trusted access for AWS EC2 AMIs.\n\nAWS allows EC2 AMIs to be shared with specific AWS accounts.\nThis policy allows you to configure whether such sharing is allowed, and to which accounts.\n\nIf set to Enforce, access to non-trusted accounts will be removed.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiTrustedAccess
Valid Value
[
"Skip",
"Check: Trusted Access > Accounts",
"Enforce: Trusted Access > Accounts"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Trusted Access > Accounts",
"Enforce: Trusted Access > Accounts"
],
"example": [
"Check: Trusted Access > Accounts"
],
"default": "Skip"
}

AWS > EC2 > AMI > Trusted Access > Accounts

A list of AWS account IDs that are allowed to have access

URI
tmod:@turbot/aws-ec2#/policy/types/amiTrustedAccessAccounts
Default Template Input
"{\n accounts: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2TrustedAccounts\")\n}\n"
Default Template
"{% if $.accounts | length == 0 %}[]{% endif %}{% for item in $.accounts %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema
{
"type": "array",
"items": {
"type": "string",
"pattern": "(?:^[0-9]{12}$|^\\*$|^all$)"
}
}

AWS > EC2 > AMI > Usage

Configure the number of AWS EC2 amis that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > AMI > Usage policy.\n

URI
tmod:@turbot/aws-ec2#/policy/types/amiUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > EC2 > AMI > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-ec2#/policy/types/amiUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 1000
}

AWS > EC2 > API Enabled

Configure whether the AWS EC2 API is enabled.\n\nNote: Disabling the service disables the API for ALL users\nand roles, and Turbot will have no access to the API.\n

URI
tmod:@turbot/aws-ec2#/policy/types/ec2ApiEnabled
Parent
Valid Value
[
"Enabled",
"Disabled",
"Enabled if AWS > EC2 > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled",
"Enabled if AWS > EC2 > Enabled"
],
"default": "Enabled"
}

AWS > EC2 > Account Attributes > CMDB

Configure whether to record and synchronize details for the AWS EC2 account attributes into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Account Attributes > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > EC2 > Account Attributes > EBS Encryption by Default

Define the EBS Encryption by Default settings required for AWS > EC2 > Account Attributes.\n\nEncryption at Rest refers specifically to the encryption of data when written\nto an underlying storage system. This control determines whether the resource\nis encrypted at rest, and sets encryption to your desired level.\n\nThe EBS Encryption by Default control compares the encryption settings against the encryption policies for the resource\n(AWS > EC2 > Account Attributes > EBS Encryption by Default > *),\nraises an alarm, and takes the defined enforcement action.\n

URI
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesEbsEncryptionByDefault
Valid Value
[
"Skip",
"Check: None",
"Check: None or higher",
"Check: AWS managed key",
"Check: AWS managed key or higher",
"Check: Customer managed key",
"Check: Encryption at Rest > Customer Managed Key",
"Enforce: None",
"Enforce: AWS managed key",
"Enforce: AWS managed key or higher",
"Enforce: Customer managed key",
"Enforce: Encryption at Rest > Customer Managed Key"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: None",
"Check: None or higher",
"Check: AWS managed key",
"Check: AWS managed key or higher",
"Check: Customer managed key",
"Check: Encryption at Rest > Customer Managed Key",
"Enforce: None",
"Enforce: AWS managed key",
"Enforce: AWS managed key or higher",
"Enforce: Customer managed key",
"Enforce: Encryption at Rest > Customer Managed Key"
],
"example": [
"Check: None or higher"
],
"default": "Skip"
}

AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key

Define the KMS key ID for ebs encryption by default.\n\nEncryption at Rest refers specifically to the encryption of data when written\nto an underlying storage system. This control determines whether the resource\nis encrypted at rest, and sets encryption to your desired level.\n\nThe EBS Encryption by Default\ncontrol compares the encryption settings against the encryption policies for the resource\n(AWS > EC2 > Account Attributes > EBS Encryption by Default > *),\nraises an alarm, and takes the defined enforcement action\n\nPlease make sure the key defined in the template has required permissions.\n\n&#92;nexample:&#92;n alias/aws/ebs&#92;n ddc06e04-ce5f-4995-c758-c2b6c510e8fd&#92;n arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd&#92;n arn:aws:kms:us-east-1:123456789012:alias/aws/ebs&#92;n\n

URI
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesEbsEncryptionByDefaultCustomerManagedKey
Default Template Input
"{\n defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"
Default Template
"{{ $.defaultKey }}"
Schema
{
"anyOf": [
{
"type": "string",
"pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$"
},
{
"type": "string",
"pattern": "^[-a-z0-9-]{1,255}$"
},
{
"type": "string",
"pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$"
},
{
"type": "string",
"pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:alias/[a-zA-Z0-9:/_-]{1,249}$"
}
],
"tests": [
{
"description": "valid - if keyArn",
"input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd"
},
{
"description": "valid - if aliasName",
"input": "alias/aws/ebs"
},
{
"description": "valid - if keyId",
"input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd"
},
{
"description": "valid - if aliasArn",
"input": "arn:aws:kms:us-east-1:039305405804:alias/aws/ebs"
}
]
}

AWS > EC2 > Account Attributes > Regions

A list of AWS regions in which AWS EC2 account attributes are supported for use.\n\nAny account attributes in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Application Load Balancer > Access Logging

Define the Access Logging settings required for AWS > EC2 > Application Load Balancer.\n\nAWS > EC2 > Application Load Balancer provides access logs that capture\ndetailed information about requests sent to your load\nbalancer. Each log contains information such as the time the\nrequest was received, the client's IP address, latencies,\nrequest paths, and server responses. You can use these\naccess logs to analyze traffic patterns and troubleshoot\nissues.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerAccessLogging
Valid Value
[
"Skip",
"Check: Disabled",
"Check: Enabled",
"Check: Enabled to Access Logging > Bucket",
"Enforce: Disabled",
"Enforce: Enabled to Access Logging > Bucket"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Disabled",
"Check: Enabled",
"Check: Enabled to Access Logging > Bucket",
"Enforce: Disabled",
"Enforce: Enabled to Access Logging > Bucket"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Access Logging > Bucket

The name of an S3 Bucket to which the Bucket\naccess logs will be delivered.\n\nThe S3 Bucket must already exist and the S3 service must be allowed write access.\nThe bucket can reside in any account but must be in the same region as the Load Balancer.\n\nexample:\n&#92;n testbucket&#92;n turbotbucket&#92;n\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerAccessLoggingBucket
Default Template Input
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
Default Template
"{% if $.turbotLoggingBucket %}&quot;{{ $.turbotLoggingBucket }}&quot;{% else %}&quot;&quot;{% endif %}"
Schema
{
"type": "string",
"pattern": "^[a-zA-Z0-9._-]{1,255}$"
}

AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix

An optional S3 key prefix to which the AWS > EC2 > Application Load Balancer access logs will be written.\n\nThe file names of the access logs use the following format:\nbucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerAccessLoggingKeyPrefix
Schema
{
"type": "string",
"pattern": "^.{1,200}$",
"default": ""
}

AWS > EC2 > Application Load Balancer > Active

Determine the action to take when an AWS EC2 application load balancer, based on the AWS > EC2 > Application Load Balancer > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Active > Age

The age after which the AWS EC2 application load balancer\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Active > Budget

The impact of the budget state on the active control. This policy allows you to force\napplicationLoadBalancers to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Active > Last Modified

The number of days since the AWS EC2 application load balancer\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Application Load Balancer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Approved

Determine the action to take when an AWS EC2 application load balancer is not approved based on AWS > EC2 > Application Load Balancer > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Approved > Budget

The policy allows you to set application load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Approved > Custom

Determine whether the AWS EC2 application load balancer is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Approved > Regions

A list of AWS regions in which AWS EC2 application load balancers are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Application Load Balancer > Approved > Usage

Determine whether the AWS EC2 application load balancer is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > EC2 > Enabled"
}

AWS > EC2 > Application Load Balancer > CMDB

Configure whether to record and synchronize details for the AWS EC2 application load balancer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Application Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > EC2 > Application Load Balancer > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > EC2 > Application Load Balancer > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > EC2 > Application Load Balancer > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > EC2 > Application Load Balancer > Regions

A list of AWS regions in which AWS EC2 application load balancers are supported for use.\n\nAny application load balancers in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Application Load Balancer > Tags

Determine the action to take when an AWS EC2 application load balancer tags are not updated based on the AWS > EC2 > Application Load Balancer > Tags > * policies.\n\nThe control ensure AWS EC2 application load balancer tags include tags defined in AWS > EC2 > Application Load Balancer > Tags > Template.\n\nTags not defined in Application Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Tags > Template

The template is used to generate the keys and values for AWS EC2 application load balancer.\n\nTags not defined in Application Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > EC2 > Application Load Balancer > Usage

Configure the number of AWS EC2 application load balancers that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Application Load Balancer > Usage policy.\n

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > EC2 > Application Load Balancer > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 50
}

AWS > EC2 > Approved Regions [Default]

A list of AWS regions in which AWS EC2 resources are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n\nThis policy is the default value for all AWS EC2 resources' Approved > Regions policies.\n

URI
tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault
Parent
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Auto Scaling Group > Active

Determine the action to take when an AWS EC2 auto scaling group, based on the AWS > EC2 > Auto Scaling Group > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Auto Scaling Group > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > EC2 > Auto Scaling Group > Active > Age

The age after which the AWS EC2 auto scaling group\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Auto Scaling Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > EC2 > Auto Scaling Group > Active > Last Modified

The number of days since the AWS EC2 auto scaling group\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Auto Scaling Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > EC2 > Auto Scaling Group > Approved

Determine the action to take when an AWS EC2 auto scaling group is not approved based on AWS > EC2 > Auto Scaling Group > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > EC2 > Auto Scaling Group > Approved > Custom

Determine whether the AWS EC2 auto scaling group is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is not approved, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > EC2 > Auto Scaling Group > Approved > Regions

A list of AWS regions in which AWS EC2 auto scaling groups are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Auto Scaling Group > Approved > Usage

Determine whether the AWS EC2 auto scaling group is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is not approved, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > EC2 > Enabled"
}

AWS > EC2 > Auto Scaling Group > CMDB

Configure whether to record and synchronize details for the AWS EC2 auto scaling group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Auto Scaling Group > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > EC2 > Auto Scaling Group > Regions

A list of AWS regions in which AWS EC2 auto scaling groups are supported for use.\n\nAny auto scaling groups in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Auto Scaling Group > Tags

Determine the action to take when an AWS EC2 auto scaling group tags are not updated based on the AWS > EC2 > Auto Scaling Group > Tags > * policies.\n\nThe control ensure AWS EC2 auto scaling group tags include tags defined in AWS > EC2 > Auto Scaling Group > Tags > Template.\n\nTags not defined in Auto Scaling Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > EC2 > Auto Scaling Group > Tags > Template

The template is used to generate the keys and values for AWS EC2 auto scaling group.\n\nTags not defined in Auto Scaling Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > EC2 > Auto Scaling Group > Usage

Configure the number of AWS EC2 auto scaling groups that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Auto Scaling Group > Usage policy.\n

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > EC2 > Auto Scaling Group > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 200
}

AWS > EC2 > Classic Load Balancer > Access Logging

Define the Access Logging settings required for AWS > EC2 > Classic Load Balancer.\n\nAWS > EC2 > Classic Load Balancer provides access logs that capture\ndetailed information about requests sent to your load\nbalancer. Each log contains information such as the time the\nrequest was received, the client's IP address, latencies,\nrequest paths, and server responses. You can use these\naccess logs to analyze traffic patterns and troubleshoot\nissues.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerAccessLogging
Valid Value
[
"Skip",
"Check: Disabled",
"Check: Enabled",
"Check: Enabled to Access Logging > Bucket",
"Enforce: Disabled",
"Enforce: Enabled to Access Logging > Bucket"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Disabled",
"Check: Enabled",
"Check: Enabled to Access Logging > Bucket",
"Enforce: Disabled",
"Enforce: Enabled to Access Logging > Bucket"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Access Logging > Bucket

The name of an S3 Bucket to which the Bucket\naccess logs will be delivered.\n\nThe S3 Bucket must already exist and the S3 service must be allowed write access.\nThe bucket should reside in same account and same region as of the Bucket.\n\nexample:\n&#92;n testbucket&#92;n turbotbucket&#92;n\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerAccessLoggingBucket
Default Template Input
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
Default Template
"{% if $.turbotLoggingBucket %}&quot;{{ $.turbotLoggingBucket }}&quot;{% else %}&quot;&quot;{% endif %}"
Schema
{
"type": "string"
}

AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix

An optional S3 key prefix to which the AWS > EC2 > Classic Load Balancer access logs will be written.\n\nThe file names of the access logs use the following format:\nbucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerAccessLoggingKeyPrefix
Schema
{
"type": "string",
"pattern": "^.{1,200}$",
"default": ""
}

AWS > EC2 > Classic Load Balancer > Active

Determine the action to take when an AWS EC2 classic load balancer, based on the AWS > EC2 > Classic Load Balancer > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Active > Age

The age after which the AWS EC2 classic load balancer\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Active > Budget

The impact of the budget state on the active control. This policy allows you to force\nclassicLoadBalancers to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Active > Last Modified

The number of days since the AWS EC2 classic load balancer\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Approved

Determine the action to take when an AWS EC2 classic load balancer is not approved based on AWS > EC2 > Classic Load Balancer > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Approved > Budget

The policy allows you to set classic load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Approved > Custom

Determine whether the AWS EC2 classic load balancer is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Approved > Regions

A list of AWS regions in which AWS EC2 classic load balancers are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Classic Load Balancer > Approved > Usage

Determine whether the AWS EC2 classic load balancer is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > EC2 > Enabled"
}

AWS > EC2 > Classic Load Balancer > CMDB

Configure whether to record and synchronize details for the AWS EC2 classic load balancer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > EC2 > Classic Load Balancer > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > EC2 > Classic Load Balancer > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > EC2 > Classic Load Balancer > Regions

A list of AWS regions in which AWS EC2 classic load balancers are supported for use.\n\nAny classic load balancers in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Classic Load Balancer > Tags

Determine the action to take when an AWS EC2 classic load balancer tags are not updated based on the AWS > EC2 > Classic Load Balancer > Tags > * policies.\n\nThe control ensure AWS EC2 classic load balancer tags include tags defined in AWS > EC2 > Classic Load Balancer > Tags > Template.\n\nTags not defined in Classic Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Tags > Template

The template is used to generate the keys and values for AWS EC2 classic load balancer.\n\nTags not defined in Classic Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > EC2 > Classic Load Balancer > Usage

Configure the number of AWS EC2 classic load balancers that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Classic Load Balancer > Usage policy.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 20
}

AWS > EC2 > Classic Load Balancer Listener > Active

Determine the action to take when an AWS EC2 classic load balancer listener, based on the AWS > EC2 > Classic Load Balancer Listener > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer Listener > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer Listener > Active > Age

The age after which the AWS EC2 classic load balancer listener\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer Listener > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified

The number of days since the AWS EC2 classic load balancer listener\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > EC2 > Classic Load Balancer Listener > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer Listener > Approved

Determine the action to take when an AWS EC2 classic load balancer listener is not approved based on AWS > EC2 > Classic Load Balancer Listener > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer Listener > Approved > Custom

Determine whether the AWS EC2 classic load balancer listener is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols

A list of instance protocol that the AWS EC2 classic load balancer listener is approved to use.\n\nThe expected format is an array of instance protocol. You may use the * and ? wildcard characters (and more).\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedInstanceProtocols
Schema
{
"type": "array",
"default": [
"*"
],
"items": {
"type": "string",
"pattern": "^(HTTP|HTTPS|TCP|SSL)$"
}
}

AWS > EC2 > Classic Load Balancer Listener > Approved > Ports

Determine whether the AWS EC2 Classic Load Balancer Listener is allowed to have a port assigned.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved policy.\n\nSee Approved for more information.\nExample\n&#92;n - 443&#92;n - 1001-65535&#92;n - 80&#92;n - 400-999&#92;n\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedPorts
Schema
{
"type": "array",
"items": {
"type": "string"
},
"default": [
"1-65535"
]
}

AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols

Determine whether the AWS EC2 Classic Load Balancer Listener is allowed to have a protocol assigned.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedProtocols
Schema
{
"type": "array",
"items": {
"type": "string",
"enum": [
"HTTP",
"HTTPS",
"TCP",
"SSL"
]
},
"default": [
"HTTP",
"HTTPS",
"TCP",
"SSL"
]
}

AWS > EC2 > Classic Load Balancer Listener > Approved > Regions

A list of AWS regions in which AWS EC2 classic load balancer listeners are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Classic Load Balancer Listener > Approved > Usage

Determine whether the AWS EC2 classic load balancer listener is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > EC2 > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > EC2 > Enabled"
}

AWS > EC2 > Classic Load Balancer Listener > CMDB

Configure whether to record and synchronize details for the AWS EC2 classic load balancer listener into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer Listener > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > EC2 > Classic Load Balancer Listener > Regions

A list of AWS regions in which AWS EC2 classic load balancer listeners are supported for use.\n\nAny classic load balancer listeners in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > EC2 > Classic Load Balancer Listener > SSL Policy

Determine the action to take when an AWS EC2 classic load balancer listener is not using an allowed SSL policy.\n\nIf a classic load balancer listener is not using an allowed SSL policy and this policy is set to Enforce: Set to SSL Policy > Default, the classic load balancer listener will be updated to use the SSL policy selected in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed policy.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerSslPolicy
Category
Valid Value
[
"Skip",
"Check: Set in SSL Policy > Allowed",
"Enforce: Set to SSL Policy > Default"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Set in SSL Policy > Allowed",
"Enforce: Set to SSL Policy > Default"
],
"example": [
"Check: Set in SSL Policy > Allowed"
],
"default": "Skip"
}

AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed

A list of AWS SSL policies that the AWS EC2 classic load balancer listener is allowed to use.\n\nFor a complete list of SSL policies and which ciphers and protocols they support, please see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerSslPolicyAllowed
Category
Schema
{
"type": "array",
"items": {
"type": "string",
"enum": [
"Custom",
"ELBSample-ELBDefaultNegotiationPolicy",
"ELBSample-OpenSSLDefaultNegotiationPolicy",
"ELBSecurityPolicy-2011-08",
"ELBSecurityPolicy-2014-01",
"ELBSecurityPolicy-2014-10",
"ELBSecurityPolicy-2015-02",
"ELBSecurityPolicy-2015-03",
"ELBSecurityPolicy-2015-05",
"ELBSecurityPolicy-2016-08",
"ELBSecurityPolicy-TLS-1-1-2017-01",
"ELBSecurityPolicy-TLS-1-2-2017-01"
]
},
"default": [
"Custom",
"ELBSample-ELBDefaultNegotiationPolicy",
"ELBSample-OpenSSLDefaultNegotiationPolicy",
"ELBSecurityPolicy-2011-08",
"ELBSecurityPolicy-2014-01",
"ELBSecurityPolicy-2014-10",
"ELBSecurityPolicy-2015-02",
"ELBSecurityPolicy-2015-03",
"ELBSecurityPolicy-2015-05",
"ELBSecurityPolicy-2016-08",
"ELBSecurityPolicy-TLS-1-1-2017-01",
"ELBSecurityPolicy-TLS-1-2-2017-01"
],
"example": [
"ELBSecurityPolicy-2016-08"
]
}

AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default

Define the default AWS SSL policy the AWS EC2 classic load balancer listener should use if it's not currently using an allowed SSL policy.\n\nThe SSL policy selected in this policy should also be allowed in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed policy, else the control will move into an invalid state while trying to enforce this policy.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerSslPolicyDefault
Category
Valid Value
[
"ELBSample-ELBDefaultNegotiationPolicy",
"ELBSample-OpenSSLDefaultNegotiationPolicy",
"ELBSecurityPolicy-2011-08",
"ELBSecurityPolicy-2014-01",
"ELBSecurityPolicy-2014-10",
"ELBSecurityPolicy-2015-02",
"ELBSecurityPolicy-2015-03",
"ELBSecurityPolicy-2015-05",
"ELBSecurityPolicy-2016-08",
"ELBSecurityPolicy-TLS-1-1-2017-01",
"ELBSecurityPolicy-TLS-1-2-2017-01"
]
Schema
{
"type": "string",
"enum": [
"ELBSample-ELBDefaultNegotiationPolicy",
"ELBSample-OpenSSLDefaultNegotiationPolicy",
"ELBSecurityPolicy-2011-08",
"ELBSecurityPolicy-2014-01",
"ELBSecurityPolicy-2014-10",
"ELBSecurityPolicy-2015-02",
"ELBSecurityPolicy-2015-03",
"ELBSecurityPolicy-2015-05",
"ELBSecurityPolicy-2016-08",
"ELBSecurityPolicy-TLS-1-1-2017-01",
"ELBSecurityPolicy-TLS-1-2-2017-01"
],
"default": "ELBSecurityPolicy-2016-08",
"example": [
"ELBSecurityPolicy-2016-08"
]
}

AWS > EC2 > Classic Load Balancer Listener > Usage

Configure the number of AWS EC2 classic load balancer listeners that can be used for this classicLoadBalancer and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > EC2 > Classic Load Balancer Listener > Usage policy.\n

URI
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}