Policy types for @turbot/aws-ec2
- AWS > EC2 > AMI > Active
- AWS > EC2 > AMI > Active > Age
- AWS > EC2 > AMI > Active > Budget
- AWS > EC2 > AMI > Active > Last Modified
- AWS > EC2 > AMI > Approved
- AWS > EC2 > AMI > Approved > Budget
- AWS > EC2 > AMI > Approved > Custom
- AWS > EC2 > AMI > Approved > Regions
- AWS > EC2 > AMI > Approved > Usage
- AWS > EC2 > AMI > CMDB
- AWS > EC2 > AMI > Configured
- AWS > EC2 > AMI > Configured > Claim Precedence
- AWS > EC2 > AMI > Configured > Source
- AWS > EC2 > AMI > Regions
- AWS > EC2 > AMI > Tags
- AWS > EC2 > AMI > Tags > Template
- AWS > EC2 > AMI > Trusted Access
- AWS > EC2 > AMI > Trusted Access > Accounts
- AWS > EC2 > AMI > Usage
- AWS > EC2 > AMI > Usage > Limit
- AWS > EC2 > API Enabled
- AWS > EC2 > Account Attributes > Block Public Access for AMIs
- AWS > EC2 > Account Attributes > Block Public Access for Snapshots
- AWS > EC2 > Account Attributes > CMDB
- AWS > EC2 > Account Attributes > EBS Encryption by Default
- AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
- AWS > EC2 > Account Attributes > Instance Metadata Service Defaults
- AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > HTTP Token Hop Limit
- AWS > EC2 > Account Attributes > Regions
- AWS > EC2 > Application Load Balancer > Access Logging
- AWS > EC2 > Application Load Balancer > Access Logging > Bucket
- AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Application Load Balancer > Active
- AWS > EC2 > Application Load Balancer > Active > Age
- AWS > EC2 > Application Load Balancer > Active > Budget
- AWS > EC2 > Application Load Balancer > Active > Last Modified
- AWS > EC2 > Application Load Balancer > Approved
- AWS > EC2 > Application Load Balancer > Approved > Budget
- AWS > EC2 > Application Load Balancer > Approved > Custom
- AWS > EC2 > Application Load Balancer > Approved > Regions
- AWS > EC2 > Application Load Balancer > Approved > Usage
- AWS > EC2 > Application Load Balancer > CMDB
- AWS > EC2 > Application Load Balancer > Configured
- AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Application Load Balancer > Configured > Source
- AWS > EC2 > Application Load Balancer > Regions
- AWS > EC2 > Application Load Balancer > Tags
- AWS > EC2 > Application Load Balancer > Tags > Template
- AWS > EC2 > Application Load Balancer > Usage
- AWS > EC2 > Application Load Balancer > Usage > Limit
- AWS > EC2 > Approved Regions [Default]
- AWS > EC2 > Auto Scaling Group > Active
- AWS > EC2 > Auto Scaling Group > Active > Age
- AWS > EC2 > Auto Scaling Group > Active > Last Modified
- AWS > EC2 > Auto Scaling Group > Approved
- AWS > EC2 > Auto Scaling Group > Approved > Custom
- AWS > EC2 > Auto Scaling Group > Approved > Regions
- AWS > EC2 > Auto Scaling Group > Approved > Usage
- AWS > EC2 > Auto Scaling Group > CMDB
- AWS > EC2 > Auto Scaling Group > Regions
- AWS > EC2 > Auto Scaling Group > Tags
- AWS > EC2 > Auto Scaling Group > Tags > Template
- AWS > EC2 > Auto Scaling Group > Usage
- AWS > EC2 > Auto Scaling Group > Usage > Limit
- AWS > EC2 > Classic Load Balancer > Access Logging
- AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
- AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Classic Load Balancer > Active
- AWS > EC2 > Classic Load Balancer > Active > Age
- AWS > EC2 > Classic Load Balancer > Active > Budget
- AWS > EC2 > Classic Load Balancer > Active > Last Modified
- AWS > EC2 > Classic Load Balancer > Approved
- AWS > EC2 > Classic Load Balancer > Approved > Budget
- AWS > EC2 > Classic Load Balancer > Approved > Custom
- AWS > EC2 > Classic Load Balancer > Approved > Regions
- AWS > EC2 > Classic Load Balancer > Approved > Usage
- AWS > EC2 > Classic Load Balancer > CMDB
- AWS > EC2 > Classic Load Balancer > Configured
- AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Classic Load Balancer > Configured > Source
- AWS > EC2 > Classic Load Balancer > Regions
- AWS > EC2 > Classic Load Balancer > Tags
- AWS > EC2 > Classic Load Balancer > Tags > Template
- AWS > EC2 > Classic Load Balancer > Usage
- AWS > EC2 > Classic Load Balancer > Usage > Limit
- AWS > EC2 > Classic Load Balancer Listener > Active
- AWS > EC2 > Classic Load Balancer Listener > Active > Age
- AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Classic Load Balancer Listener > Approved
- AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
- AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
- AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
- AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
- AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
- AWS > EC2 > Classic Load Balancer Listener > CMDB
- AWS > EC2 > Classic Load Balancer Listener > Regions
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
- AWS > EC2 > Classic Load Balancer Listener > Usage
- AWS > EC2 > Classic Load Balancer Listener > Usage > Limit
- AWS > EC2 > Enabled
- AWS > EC2 > Gateway Load Balancer > Active
- AWS > EC2 > Gateway Load Balancer > Active > Age
- AWS > EC2 > Gateway Load Balancer > Active > Budget
- AWS > EC2 > Gateway Load Balancer > Active > Last Modified
- AWS > EC2 > Gateway Load Balancer > Approved
- AWS > EC2 > Gateway Load Balancer > Approved > Budget
- AWS > EC2 > Gateway Load Balancer > Approved > Custom
- AWS > EC2 > Gateway Load Balancer > Approved > Regions
- AWS > EC2 > Gateway Load Balancer > Approved > Usage
- AWS > EC2 > Gateway Load Balancer > CMDB
- AWS > EC2 > Gateway Load Balancer > Regions
- AWS > EC2 > Gateway Load Balancer > Tags
- AWS > EC2 > Gateway Load Balancer > Tags > Template
- AWS > EC2 > Gateway Load Balancer > Usage
- AWS > EC2 > Gateway Load Balancer > Usage > Limit
- AWS > EC2 > Instance > Active
- AWS > EC2 > Instance > Active > Age
- AWS > EC2 > Instance > Active > Budget
- AWS > EC2 > Instance > Active > Last Modified
- AWS > EC2 > Instance > Approved
- AWS > EC2 > Instance > Approved > Budget
- AWS > EC2 > Instance > Approved > Custom
- AWS > EC2 > Instance > Approved > Image
- AWS > EC2 > Instance > Approved > Image > AMI IDs
- AWS > EC2 > Instance > Approved > Image > Publishers
- AWS > EC2 > Instance > Approved > Instance Types
- AWS > EC2 > Instance > Approved > Public IP
- AWS > EC2 > Instance > Approved > Regions
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
- AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > Customer Managed Key
- AWS > EC2 > Instance > Approved > Usage
- AWS > EC2 > Instance > CMDB
- AWS > EC2 > Instance > CMDB > Attributes
- AWS > EC2 > Instance > Configured
- AWS > EC2 > Instance > Configured > Claim Precedence
- AWS > EC2 > Instance > Configured > Source
- AWS > EC2 > Instance > Default Platform
- AWS > EC2 > Instance > Detailed Monitoring
- AWS > EC2 > Instance > Instance Profile
- AWS > EC2 > Instance > Instance Profile > Name
- AWS > EC2 > Instance > Metadata Service
- AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit
- AWS > EC2 > Instance > Regions
- AWS > EC2 > Instance > Schedule
- AWS > EC2 > Instance > Schedule Tag
- AWS > EC2 > Instance > Schedule Tag > Name
- AWS > EC2 > Instance > Tags
- AWS > EC2 > Instance > Tags > Inventory Collection
- AWS > EC2 > Instance > Tags > Template
- AWS > EC2 > Instance > Termination Protection
- AWS > EC2 > Instance > Usage
- AWS > EC2 > Instance > Usage > Limit
- AWS > EC2 > Key Pair > Active
- AWS > EC2 > Key Pair > Active > Age
- AWS > EC2 > Key Pair > Active > Budget
- AWS > EC2 > Key Pair > Active > Last Modified
- AWS > EC2 > Key Pair > Approved
- AWS > EC2 > Key Pair > Approved > Budget
- AWS > EC2 > Key Pair > Approved > Custom
- AWS > EC2 > Key Pair > Approved > Regions
- AWS > EC2 > Key Pair > Approved > Usage
- AWS > EC2 > Key Pair > CMDB
- AWS > EC2 > Key Pair > Regions
- AWS > EC2 > Key Pair > Tags
- AWS > EC2 > Key Pair > Tags > Template
- AWS > EC2 > Key Pair > Usage
- AWS > EC2 > Key Pair > Usage > Limit
- AWS > EC2 > Launch Configuration > Active
- AWS > EC2 > Launch Configuration > Active > Age
- AWS > EC2 > Launch Configuration > Active > Last Modified
- AWS > EC2 > Launch Configuration > Approved
- AWS > EC2 > Launch Configuration > Approved > Custom
- AWS > EC2 > Launch Configuration > Approved > Regions
- AWS > EC2 > Launch Configuration > Approved > Usage
- AWS > EC2 > Launch Configuration > CMDB
- AWS > EC2 > Launch Configuration > Regions
- AWS > EC2 > Launch Configuration > Usage
- AWS > EC2 > Launch Configuration > Usage > Limit
- AWS > EC2 > Launch Template > Active
- AWS > EC2 > Launch Template > Active > Age
- AWS > EC2 > Launch Template > Active > Last Modified
- AWS > EC2 > Launch Template > Approved
- AWS > EC2 > Launch Template > Approved > Custom
- AWS > EC2 > Launch Template > Approved > Regions
- AWS > EC2 > Launch Template > Approved > Usage
- AWS > EC2 > Launch Template > CMDB
- AWS > EC2 > Launch Template > Regions
- AWS > EC2 > Launch Template > Tags
- AWS > EC2 > Launch Template > Tags > Template
- AWS > EC2 > Launch Template > Usage
- AWS > EC2 > Launch Template > Usage > Limit
- AWS > EC2 > Launch Template Version > Active
- AWS > EC2 > Launch Template Version > Active > Age
- AWS > EC2 > Launch Template Version > Active > Last Modified
- AWS > EC2 > Launch Template Version > Approved
- AWS > EC2 > Launch Template Version > Approved > Custom
- AWS > EC2 > Launch Template Version > Approved > Regions
- AWS > EC2 > Launch Template Version > Approved > Usage
- AWS > EC2 > Launch Template Version > CMDB
- AWS > EC2 > Launch Template Version > Regions
- AWS > EC2 > Launch Template Version > Usage
- AWS > EC2 > Launch Template Version > Usage > Limit
- AWS > EC2 > Listener Rule > Active
- AWS > EC2 > Listener Rule > Active > Age
- AWS > EC2 > Listener Rule > Active > Budget
- AWS > EC2 > Listener Rule > Active > Last Modified
- AWS > EC2 > Listener Rule > Approved
- AWS > EC2 > Listener Rule > Approved > Budget
- AWS > EC2 > Listener Rule > Approved > Custom
- AWS > EC2 > Listener Rule > Approved > Regions
- AWS > EC2 > Listener Rule > Approved > Usage
- AWS > EC2 > Listener Rule > CMDB
- AWS > EC2 > Listener Rule > Configured
- AWS > EC2 > Listener Rule > Configured > Claim Precedence
- AWS > EC2 > Listener Rule > Configured > Source
- AWS > EC2 > Listener Rule > Regions
- AWS > EC2 > Listener Rule > Usage
- AWS > EC2 > Listener Rule > Usage > Limit
- AWS > EC2 > Load Balancer Listener > Active
- AWS > EC2 > Load Balancer Listener > Active > Age
- AWS > EC2 > Load Balancer Listener > Active > Last Modified
- AWS > EC2 > Load Balancer Listener > Approved
- AWS > EC2 > Load Balancer Listener > Approved > Custom
- AWS > EC2 > Load Balancer Listener > Approved > Ports
- AWS > EC2 > Load Balancer Listener > Approved > Protocols
- AWS > EC2 > Load Balancer Listener > Approved > Regions
- AWS > EC2 > Load Balancer Listener > Approved > Usage
- AWS > EC2 > Load Balancer Listener > CMDB
- AWS > EC2 > Load Balancer Listener > Configured
- AWS > EC2 > Load Balancer Listener > Configured > Claim Precedence
- AWS > EC2 > Load Balancer Listener > Configured > Source
- AWS > EC2 > Load Balancer Listener > Regions
- AWS > EC2 > Load Balancer Listener > SSL Policy
- AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
- AWS > EC2 > Load Balancer Listener > SSL Policy > Default
- AWS > EC2 > Load Balancer Listener > Usage
- AWS > EC2 > Load Balancer Listener > Usage > Limit
- AWS > EC2 > Network Interface > Active
- AWS > EC2 > Network Interface > Active > Age
- AWS > EC2 > Network Interface > Active > Attached
- AWS > EC2 > Network Interface > Active > Last Modified
- AWS > EC2 > Network Interface > Approved
- AWS > EC2 > Network Interface > Approved > Custom
- AWS > EC2 > Network Interface > Approved > Regions
- AWS > EC2 > Network Interface > Approved > Usage
- AWS > EC2 > Network Interface > CMDB
- AWS > EC2 > Network Interface > Configured
- AWS > EC2 > Network Interface > Configured > Claim Precedence
- AWS > EC2 > Network Interface > Configured > Source
- AWS > EC2 > Network Interface > Regions
- AWS > EC2 > Network Interface > Tags
- AWS > EC2 > Network Interface > Tags > Template
- AWS > EC2 > Network Interface > Usage
- AWS > EC2 > Network Interface > Usage > Limit
- AWS > EC2 > Network Load Balancer > Access Logging
- AWS > EC2 > Network Load Balancer > Access Logging > Bucket
- AWS > EC2 > Network Load Balancer > Access Logging > Key Prefix
- AWS > EC2 > Network Load Balancer > Active
- AWS > EC2 > Network Load Balancer > Active > Age
- AWS > EC2 > Network Load Balancer > Active > Budget
- AWS > EC2 > Network Load Balancer > Active > Last Modified
- AWS > EC2 > Network Load Balancer > Approved
- AWS > EC2 > Network Load Balancer > Approved > Budget
- AWS > EC2 > Network Load Balancer > Approved > Custom
- AWS > EC2 > Network Load Balancer > Approved > Regions
- AWS > EC2 > Network Load Balancer > Approved > Usage
- AWS > EC2 > Network Load Balancer > CMDB
- AWS > EC2 > Network Load Balancer > Configured
- AWS > EC2 > Network Load Balancer > Configured > Claim Precedence
- AWS > EC2 > Network Load Balancer > Configured > Source
- AWS > EC2 > Network Load Balancer > Regions
- AWS > EC2 > Network Load Balancer > Tags
- AWS > EC2 > Network Load Balancer > Tags > Template
- AWS > EC2 > Network Load Balancer > Usage
- AWS > EC2 > Network Load Balancer > Usage > Limit
- AWS > EC2 > Permissions
- AWS > EC2 > Permissions > Levels
- AWS > EC2 > Permissions > Levels > Ami Publishing Administration
- AWS > EC2 > Permissions > Levels > Auto Scaling Administration
- AWS > EC2 > Permissions > Levels > Local Amis Administration
- AWS > EC2 > Permissions > Levels > Marketplace Subscription Administration
- AWS > EC2 > Permissions > Levels > Modifiers
- AWS > EC2 > Permissions > Lockdown
- AWS > EC2 > Permissions > Lockdown > API Boundary
- AWS > EC2 > Permissions > Lockdown > Instance
- AWS > EC2 > Permissions > Lockdown > Instance > Image
- AWS > EC2 > Permissions > Lockdown > Instance > Image > AMI IDs
- AWS > EC2 > Permissions > Lockdown > Instance > Image > Publishers
- AWS > EC2 > Permissions > Lockdown > Instance Types
- AWS > EC2 > Permissions > Lockdown > Volume Types
- AWS > EC2 > Regions
- AWS > EC2 > Snapshot > Active
- AWS > EC2 > Snapshot > Active > Age
- AWS > EC2 > Snapshot > Active > Budget
- AWS > EC2 > Snapshot > Active > Last Modified
- AWS > EC2 > Snapshot > Approved
- AWS > EC2 > Snapshot > Approved > Budget
- AWS > EC2 > Snapshot > Approved > Custom
- AWS > EC2 > Snapshot > Approved > Encryption at Rest
- AWS > EC2 > Snapshot > Approved > Encryption at Rest > Customer Managed Key
- AWS > EC2 > Snapshot > Approved > Regions
- AWS > EC2 > Snapshot > Approved > Usage
- AWS > EC2 > Snapshot > CMDB
- AWS > EC2 > Snapshot > Configured
- AWS > EC2 > Snapshot > Configured > Claim Precedence
- AWS > EC2 > Snapshot > Configured > Source
- AWS > EC2 > Snapshot > Regions
- AWS > EC2 > Snapshot > Tags
- AWS > EC2 > Snapshot > Tags > Template
- AWS > EC2 > Snapshot > Trusted Access
- AWS > EC2 > Snapshot > Trusted Access > Accounts
- AWS > EC2 > Snapshot > Usage
- AWS > EC2 > Snapshot > Usage > Limit
- AWS > EC2 > Tags Template [Default]
- AWS > EC2 > Target Group > Active
- AWS > EC2 > Target Group > Active > Age
- AWS > EC2 > Target Group > Active > Last Modified
- AWS > EC2 > Target Group > Approved
- AWS > EC2 > Target Group > Approved > Custom
- AWS > EC2 > Target Group > Approved > Regions
- AWS > EC2 > Target Group > Approved > Usage
- AWS > EC2 > Target Group > CMDB
- AWS > EC2 > Target Group > Configured
- AWS > EC2 > Target Group > Configured > Claim Precedence
- AWS > EC2 > Target Group > Configured > Source
- AWS > EC2 > Target Group > Regions
- AWS > EC2 > Target Group > Tags
- AWS > EC2 > Target Group > Tags > Template
- AWS > EC2 > Target Group > Usage
- AWS > EC2 > Target Group > Usage > Limit
- AWS > EC2 > Trusted Accounts [Default]
- AWS > EC2 > Volume > Active
- AWS > EC2 > Volume > Active > Age
- AWS > EC2 > Volume > Active > Attached
- AWS > EC2 > Volume > Active > Budget
- AWS > EC2 > Volume > Active > Last Modified
- AWS > EC2 > Volume > Approved
- AWS > EC2 > Volume > Approved > Budget
- AWS > EC2 > Volume > Approved > Custom
- AWS > EC2 > Volume > Approved > Encryption at Rest
- AWS > EC2 > Volume > Approved > Encryption at Rest > Customer Managed Key
- AWS > EC2 > Volume > Approved > Regions
- AWS > EC2 > Volume > Approved > Usage
- AWS > EC2 > Volume > Approved > Volume Types
- AWS > EC2 > Volume > CMDB
- AWS > EC2 > Volume > CMDB > Attributes
- AWS > EC2 > Volume > Configured
- AWS > EC2 > Volume > Configured > Claim Precedence
- AWS > EC2 > Volume > Configured > Source
- AWS > EC2 > Volume > Performance Configuration
- AWS > EC2 > Volume > Performance Configuration > IOPS Capacity
- AWS > EC2 > Volume > Performance Configuration > Throughput
- AWS > EC2 > Volume > Performance Configuration > Type
- AWS > EC2 > Volume > Regions
- AWS > EC2 > Volume > Tags
- AWS > EC2 > Volume > Tags > Template
- AWS > EC2 > Volume > Usage
- AWS > EC2 > Volume > Usage > Limit
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-ec2
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-ec2
AWS > EC2 > AMI > Active
Determine the action to take when an AWS EC2 ami, based on the AWS > EC2 > AMI > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > AMI > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/amiActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > AMI > Active > Age
The age after which the AWS EC2 ami
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > AMI > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/amiActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > AMI > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
amis to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > AMI > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/amiActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > AMI > Active > Last Modified
The number of days since the AWS EC2 ami
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > AMI > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/amiActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > AMI > Approved
Determine the action to take when an AWS EC2 ami is not approved based on AWS > EC2 > AMI > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/amiApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > AMI > Approved > Budget
The policy allows you to set amis to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 ami is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/amiApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > AMI > Approved > Custom
Determine whether the AWS EC2 ami is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 ami is not approved, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/amiApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > AMI > Approved > Regions
A list of AWS regions in which AWS EC2 amis are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 ami is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/amiApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > AMI > Approved > Usage
Determine whether the AWS EC2 ami is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 ami is not approved, it will be subject to the action specified in the AWS > EC2 > AMI > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/amiApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > AMI > CMDB
Configure whether to record and synchronize details for the AWS EC2 ami into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > AMI > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/amiCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > AMI > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/amiConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > AMI > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/amiConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > AMI > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/amiConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > AMI > Regions
A list of AWS regions in which AWS EC2 amis are supported for use.
Any amis in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/amiRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > AMI > Tags
Determine the action to take when an AWS EC2 ami tags are not updated based on the AWS > EC2 > AMI > Tags > *
policies.
The control ensure AWS EC2 ami tags include tags defined in AWS > EC2 > AMI > Tags > Template
.
Tags not defined in AMI Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/amiTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > AMI > Tags > Template
The template is used to generate the keys and values for AWS EC2 ami.
Tags not defined in AMI Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/amiTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > AMI > Trusted Access
Manage trusted access for AWS EC2 AMIs.
AWS allows EC2 AMIs to be shared with specific AWS accounts.
This policy allows you to configure whether such sharing is allowed, and to which accounts.
If set to Enforce
, access to non-trusted accounts will be removed.
tmod:@turbot/aws-ec2#/policy/types/amiTrustedAccess
[ "Skip", "Check: Trusted Access > Accounts", "Enforce: Trusted Access > Accounts"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access > Accounts", "Enforce: Trusted Access > Accounts" ], "example": [ "Check: Trusted Access > Accounts" ], "default": "Skip"}
AWS > EC2 > AMI > Trusted Access > Accounts
A list of AWS account IDs that are allowed to have access
tmod:@turbot/aws-ec2#/policy/types/amiTrustedAccessAccounts
"{\n accounts: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2TrustedAccounts\")\n}\n"
"{% if $.accounts | length == 0 %}[]{% endif %}{% for item in $.accounts %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^[0-9]{12}$|^\\*$|^all$)" }}
AWS > EC2 > AMI > Usage
Configure the number of AWS EC2 amis that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > AMI > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/amiUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > AMI > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/amiUsageLimit
{ "type": "integer", "minimum": 0, "default": 1000}
AWS > EC2 > API Enabled
Configure whether the AWS EC2 API is enabled.
Note: Disabling the service disables the API for ALL users
and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-ec2#/policy/types/ec2ApiEnabled
[ "Enabled", "Disabled", "Enabled if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > EC2 > Enabled" ], "default": "Enabled"}
AWS > EC2 > Account Attributes > Block Public Access for AMIs
Configure Block Public Access settings for Amazon Machine Images (AMIs) on AWS > EC2 > Account Attributes
.
Block Public Access (BPA) is an account-wide setting that allows customers to block public sharing of Amazon Machine Images (AMIs) in a particular region.
This control detect and determines whether the region has enabled or disabled Block Public Access (BPA) setting for AMIs.
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesBlockPublicAccessForAmi
[ "Skip", "Check: Block Public Access for AMIs Enabled", "Check: Block Public Access for AMIs Disabled", "Enforce: Enable Block Public Access for AMIs", "Enforce: Disable Block Public Access for AMIs"]
{ "type": "string", "enum": [ "Skip", "Check: Block Public Access for AMIs Enabled", "Check: Block Public Access for AMIs Disabled", "Enforce: Enable Block Public Access for AMIs", "Enforce: Disable Block Public Access for AMIs" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Account Attributes > Block Public Access for Snapshots
Configure Block Public Access settings for Snapshots on AWS > EC2 > Account Attributes
.
Block Public Access (BPA) is an account-wide setting that allows customers to block public sharing of Snapshots in a particular region.
This control detect and determines whether the region has enabled or disabled Block Public Access (BPA) setting for Snapshots.
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesBlockPublicAccessForSnapshot
[ "Skip", "Check: Block Public Access for all Snapshots Enabled", "Check: Block Public Access for new Snapshots Enabled", "Check: Block Public Access for Snapshots Disabled", "Enforce: Enable Block Public Access for all Snapshots", "Enforce: Enable Block Public Access for new Snapshots", "Enforce: Disable Block Public Access for Snapshots"]
{ "type": "string", "enum": [ "Skip", "Check: Block Public Access for all Snapshots Enabled", "Check: Block Public Access for new Snapshots Enabled", "Check: Block Public Access for Snapshots Disabled", "Enforce: Enable Block Public Access for all Snapshots", "Enforce: Enable Block Public Access for new Snapshots", "Enforce: Disable Block Public Access for Snapshots" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Account Attributes > CMDB
Configure whether to record and synchronize details for the AWS EC2 account attributes into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Account Attributes > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Account Attributes > EBS Encryption by Default
Define the EBS Encryption by Default settings required for AWS > EC2 > Account Attributes
.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The EBS Encryption by Default control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Account Attributes > EBS Encryption by Default > *
),
raises an alarm, and takes the defined enforcement action.
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesEbsEncryptionByDefault
[ "Skip", "Check: None", "Check: None or higher", "Check: AWS managed key", "Check: AWS managed key or higher", "Check: Customer managed key", "Check: Encryption at Rest > Customer Managed Key", "Enforce: None", "Enforce: AWS managed key", "Enforce: AWS managed key or higher", "Enforce: Customer managed key", "Enforce: Encryption at Rest > Customer Managed Key"]
{ "type": "string", "enum": [ "Skip", "Check: None", "Check: None or higher", "Check: AWS managed key", "Check: AWS managed key or higher", "Check: Customer managed key", "Check: Encryption at Rest > Customer Managed Key", "Enforce: None", "Enforce: AWS managed key", "Enforce: AWS managed key or higher", "Enforce: Customer managed key", "Enforce: Encryption at Rest > Customer Managed Key" ], "example": [ "Check: None or higher" ], "default": "Skip"}
AWS > EC2 > Account Attributes > EBS Encryption by Default > Customer Managed Key
Define the KMS key ID for ebs encryption by default.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The EBS Encryption by Default
control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Account Attributes > EBS Encryption by Default > *
),
raises an alarm, and takes the defined enforcement action
Please make sure the key defined in the template has required permissions.<br />example:<br /> alias/aws/ebs<br /> ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:alias/aws/ebs<br />
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesEbsEncryptionByDefaultCustomerManagedKey
"{\n defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"
"{{ $.defaultKey }}"
{ "anyOf": [ { "type": "string", "pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$" }, { "type": "string", "pattern": "^[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:alias/[a-zA-Z0-9:/_-]{1,249}$" } ], "tests": [ { "description": "valid - if keyArn", "input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasName", "input": "alias/aws/ebs" }, { "description": "valid - if keyId", "input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasArn", "input": "arn:aws:kms:us-east-1:039305405804:alias/aws/ebs" } ]}
AWS > EC2 > Account Attributes > Instance Metadata Service Defaults
Instance metadata is data about your instance that you can use to configure or manage the running instance.
Instance metadata is divided into categories, for example, host name, events, and security groups.
Instance metadata can be accessed from a running instance using one of the following methods:
Instance Metadata Service Version 1 (IMDSv1) – a request/response method
Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
By default, you can use either IMDSv1 or IMDSv2, or both. However, the instance metadata service can be specifically
configured to use IMDSv2 on each instance. When you specify that IMDSv2 must be used, IMDSv1 no longer works.
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesInstanceMetadataServiceDefaults
[ "Skip", "Check: Disabled", "Check: Enabled for V1 and V2", "Check: Enabled for V2 only", "Enforce: Disabled", "Enforce: Enabled for V1 and V2", "Enforce: Enabled for V2 only"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled for V1 and V2", "Check: Enabled for V2 only", "Enforce: Disabled", "Enforce: Enabled for V1 and V2", "Enforce: Enabled for V2 only" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > HTTP Token Hop Limit
The number of network hops that the metadata token can travel.
The larger the number, the further instance metadata requests can travel.
Maximum is 64.
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesInstanceMetadataServiceDefaultsTokenHopLimit
{ "type": "number", "minimum": 1, "maximum": 64, "default": 1}
AWS > EC2 > Account Attributes > Regions
A list of AWS regions in which AWS EC2 account attributes are supported for use.
Any account attributes in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/ec2AccountAttributesRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Application Load Balancer > Access Logging
Define the Access Logging settings required for AWS > EC2 > Application Load Balancer
.AWS > EC2 > Application Load Balancer
provides access logs that capture
detailed information about requests sent to your load
balancer. Each log contains information such as the time the
request was received, the client's IP address, latencies,
request paths, and server responses. You can use these
access logs to analyze traffic patterns and troubleshoot
issues.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerAccessLogging
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Access Logging > Bucket
The name of an S3 Bucket to which the Bucket
access logs will be delivered.
The S3 Bucket must already exist and the S3 service must be allowed write access.
The bucket can reside in any account but must be in the same region as the Load Balancer.
example:<br /> testbucket<br /> turbotbucket<br />
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerAccessLoggingBucket
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
"{% if $.turbotLoggingBucket %}"{{ $.turbotLoggingBucket }}"{% else %}""{% endif %}"
{ "type": "string", "pattern": "^[a-zA-Z0-9._-]{1,255}$"}
AWS > EC2 > Application Load Balancer > Access Logging > Key Prefix
An optional S3 key prefix to which the AWS > EC2 > Application Load Balancer
access logs will be written.
The file names of the access logs use the following format:bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerAccessLoggingKeyPrefix
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}
AWS > EC2 > Application Load Balancer > Active
Determine the action to take when an AWS EC2 application load balancer, based on the AWS > EC2 > Application Load Balancer > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Application Load Balancer > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Active > Age
The age after which the AWS EC2 application load balancer
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Application Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
applicationLoadBalancers to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Application Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Active > Last Modified
The number of days since the AWS EC2 application load balancer
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Application Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved
Determine the action to take when an AWS EC2 application load balancer is not approved based on AWS > EC2 > Application Load Balancer > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved > Budget
The policy allows you to set application load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved > Custom
Determine whether the AWS EC2 application load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Approved > Regions
A list of AWS regions in which AWS EC2 application load balancers are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Application Load Balancer > Approved > Usage
Determine whether the AWS EC2 application load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 application load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Application Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Application Load Balancer > CMDB
Configure whether to record and synchronize details for the AWS EC2 application load balancer into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Application Load Balancer > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Application Load Balancer > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Application Load Balancer > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Application Load Balancer > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Application Load Balancer > Regions
A list of AWS regions in which AWS EC2 application load balancers are supported for use.
Any application load balancers in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Application Load Balancer > Tags
Determine the action to take when an AWS EC2 application load balancer tags are not updated based on the AWS > EC2 > Application Load Balancer > Tags > *
policies.
The control ensure AWS EC2 application load balancer tags include tags defined in AWS > EC2 > Application Load Balancer > Tags > Template
.
Tags not defined in Application Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Tags > Template
The template is used to generate the keys and values for AWS EC2 application load balancer.
Tags not defined in Application Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Application Load Balancer > Usage
Configure the number of AWS EC2 application load balancers that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Application Load Balancer > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Application Load Balancer > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerUsageLimit
{ "type": "integer", "minimum": 0, "default": 50}
AWS > EC2 > Approved Regions [Default]
A list of AWS regions in which AWS EC2 resources are approved for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all AWS EC2 resources' Approved > Regions policies.
tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Auto Scaling Group > Active
Determine the action to take when an AWS EC2 auto scaling group, based on the AWS > EC2 > Auto Scaling Group > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Auto Scaling Group > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Active > Age
The age after which the AWS EC2 auto scaling group
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Auto Scaling Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Active > Last Modified
The number of days since the AWS EC2 auto scaling group
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Auto Scaling Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Approved
Determine the action to take when an AWS EC2 auto scaling group is not approved based on AWS > EC2 > Auto Scaling Group > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Approved > Custom
Determine whether the AWS EC2 auto scaling group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is not approved, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Approved > Regions
A list of AWS regions in which AWS EC2 auto scaling groups are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Auto Scaling Group > Approved > Usage
Determine whether the AWS EC2 auto scaling group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 auto scaling group is not approved, it will be subject to the action specified in the AWS > EC2 > Auto Scaling Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Auto Scaling Group > CMDB
Configure whether to record and synchronize details for the AWS EC2 auto scaling group into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Auto Scaling Group > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Auto Scaling Group > Regions
A list of AWS regions in which AWS EC2 auto scaling groups are supported for use.
Any auto scaling groups in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Auto Scaling Group > Tags
Determine the action to take when an AWS EC2 auto scaling group tags are not updated based on the AWS > EC2 > Auto Scaling Group > Tags > *
policies.
The control ensure AWS EC2 auto scaling group tags include tags defined in AWS > EC2 > Auto Scaling Group > Tags > Template
.
Tags not defined in Auto Scaling Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Tags > Template
The template is used to generate the keys and values for AWS EC2 auto scaling group.
Tags not defined in Auto Scaling Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Auto Scaling Group > Usage
Configure the number of AWS EC2 auto scaling groups that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Auto Scaling Group > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Auto Scaling Group > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupUsageLimit
{ "type": "integer", "minimum": 0, "default": 200}
AWS > EC2 > Classic Load Balancer > Access Logging
Define the Access Logging settings required for AWS > EC2 > Classic Load Balancer
.AWS > EC2 > Classic Load Balancer
provides access logs that capture
detailed information about requests sent to your load
balancer. Each log contains information such as the time the
request was received, the client's IP address, latencies,
request paths, and server responses. You can use these
access logs to analyze traffic patterns and troubleshoot
issues.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerAccessLogging
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Access Logging > Bucket
The name of an S3 Bucket to which the Bucket
access logs will be delivered.
The S3 Bucket must already exist and the S3 service must be allowed write access.
The bucket should reside in same account and same region as of the Bucket.
example:<br /> testbucket<br /> turbotbucket<br />
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerAccessLoggingBucket
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
"{% if $.turbotLoggingBucket %}"{{ $.turbotLoggingBucket }}"{% else %}""{% endif %}"
{ "type": "string"}
AWS > EC2 > Classic Load Balancer > Access Logging > Key Prefix
An optional S3 key prefix to which the AWS > EC2 > Classic Load Balancer
access logs will be written.
The file names of the access logs use the following format:bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerAccessLoggingKeyPrefix
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}
AWS > EC2 > Classic Load Balancer > Active
Determine the action to take when an AWS EC2 classic load balancer, based on the AWS > EC2 > Classic Load Balancer > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Active > Age
The age after which the AWS EC2 classic load balancer
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
classicLoadBalancers to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Active > Last Modified
The number of days since the AWS EC2 classic load balancer
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved
Determine the action to take when an AWS EC2 classic load balancer is not approved based on AWS > EC2 > Classic Load Balancer > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved > Budget
The policy allows you to set classic load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved > Custom
Determine whether the AWS EC2 classic load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Approved > Regions
A list of AWS regions in which AWS EC2 classic load balancers are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer > Approved > Usage
Determine whether the AWS EC2 classic load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Classic Load Balancer > CMDB
Configure whether to record and synchronize details for the AWS EC2 classic load balancer into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Classic Load Balancer > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Classic Load Balancer > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Classic Load Balancer > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Classic Load Balancer > Regions
A list of AWS regions in which AWS EC2 classic load balancers are supported for use.
Any classic load balancers in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer > Tags
Determine the action to take when an AWS EC2 classic load balancer tags are not updated based on the AWS > EC2 > Classic Load Balancer > Tags > *
policies.
The control ensure AWS EC2 classic load balancer tags include tags defined in AWS > EC2 > Classic Load Balancer > Tags > Template
.
Tags not defined in Classic Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Tags > Template
The template is used to generate the keys and values for AWS EC2 classic load balancer.
Tags not defined in Classic Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Classic Load Balancer > Usage
Configure the number of AWS EC2 classic load balancers that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Classic Load Balancer > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerUsageLimit
{ "type": "integer", "minimum": 0, "default": 20}
AWS > EC2 > Classic Load Balancer Listener > Active
Determine the action to take when an AWS EC2 classic load balancer listener, based on the AWS > EC2 > Classic Load Balancer Listener > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer Listener > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Active > Age
The age after which the AWS EC2 classic load balancer listener
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer Listener > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Active > Last Modified
The number of days since the AWS EC2 classic load balancer listener
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Classic Load Balancer Listener > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Approved
Determine the action to take when an AWS EC2 classic load balancer listener is not approved based on AWS > EC2 > Classic Load Balancer Listener > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Approved > Custom
Determine whether the AWS EC2 classic load balancer listener is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Approved > Instance Protocols
A list of instance protocol that the AWS EC2 classic load balancer listener is approved to use.
The expected format is an array of instance protocol. You may use the *
and ?
wildcard characters (and more).
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedInstanceProtocols
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^(HTTP|HTTPS|TCP|SSL)$" }}
AWS > EC2 > Classic Load Balancer Listener > Approved > Ports
Determine whether the AWS EC2 Classic Load Balancer Listener is allowed to have a port assigned.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved
policy.
See Approved for more information.
Example<br /> - 443<br /> - 1001-65535<br /> - 80<br /> - 400-999<br />
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedPorts
{ "type": "array", "items": { "type": "string" }, "default": [ "1-65535" ]}
AWS > EC2 > Classic Load Balancer Listener > Approved > Protocols
Determine whether the AWS EC2 Classic Load Balancer Listener is allowed to have a protocol assigned.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedProtocols
{ "type": "array", "items": { "type": "string", "enum": [ "HTTP", "HTTPS", "TCP", "SSL" ] }, "default": [ "HTTP", "HTTPS", "TCP", "SSL" ]}
AWS > EC2 > Classic Load Balancer Listener > Approved > Regions
A list of AWS regions in which AWS EC2 classic load balancer listeners are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer Listener > Approved > Usage
Determine whether the AWS EC2 classic load balancer listener is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 classic load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Classic Load Balancer Listener > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Classic Load Balancer Listener > CMDB
Configure whether to record and synchronize details for the AWS EC2 classic load balancer listener into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Classic Load Balancer Listener > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Classic Load Balancer Listener > Regions
A list of AWS regions in which AWS EC2 classic load balancer listeners are supported for use.
Any classic load balancer listeners in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Classic Load Balancer Listener > SSL Policy
Determine the action to take when an AWS EC2 classic load balancer listener is not using an allowed SSL policy.
If a classic load balancer listener is not using an allowed SSL policy and this policy is set to Enforce: Set to SSL Policy > Default
, the classic load balancer listener will be updated to use the SSL policy selected in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
policy.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerSslPolicy
[ "Skip", "Check: Set in SSL Policy > Allowed", "Enforce: Set to SSL Policy > Default"]
{ "type": "string", "enum": [ "Skip", "Check: Set in SSL Policy > Allowed", "Enforce: Set to SSL Policy > Default" ], "example": [ "Check: Set in SSL Policy > Allowed" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
A list of AWS SSL policies that the AWS EC2 classic load balancer listener is allowed to use.
For a complete list of SSL policies and which ciphers and protocols they support, please see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerSslPolicyAllowed
{ "type": "array", "items": { "type": "string", "enum": [ "Custom", "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01" ] }, "default": [ "Custom", "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01" ], "example": [ "ELBSecurityPolicy-2016-08" ]}
AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Default
Define the default AWS SSL policy the AWS EC2 classic load balancer listener should use if it's not currently using an allowed SSL policy.
The SSL policy selected in this policy should also be allowed in the AWS > EC2 > Classic Load Balancer Listener > SSL Policy > Allowed
policy, else the control will move into an invalid
state while trying to enforce this policy.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerSslPolicyDefault
[ "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01"]
{ "type": "string", "enum": [ "ELBSample-ELBDefaultNegotiationPolicy", "ELBSample-OpenSSLDefaultNegotiationPolicy", "ELBSecurityPolicy-2011-08", "ELBSecurityPolicy-2014-01", "ELBSecurityPolicy-2014-10", "ELBSecurityPolicy-2015-02", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01" ], "default": "ELBSecurityPolicy-2016-08", "example": [ "ELBSecurityPolicy-2016-08" ]}
AWS > EC2 > Classic Load Balancer Listener > Usage
Configure the number of AWS EC2 classic load balancer listeners that can be used for this classicLoadBalancer and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Classic Load Balancer Listener > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Classic Load Balancer Listener > Usage > Limit
Maximum number of items that can be created for this classicLoadBalancer.
tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerListenerUsageLimit
{ "type": "integer", "minimum": 0, "default": 50}
AWS > EC2 > Enabled
Enabled EC2.
tmod:@turbot/aws-ec2#/policy/types/ec2Enabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
AWS > EC2 > Gateway Load Balancer > Active
Determine the action to take when an AWS EC2 gateway load balancer, based on the AWS > EC2 > Gateway Load Balancer > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Gateway Load Balancer > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Active > Age
The age after which the AWS EC2 gateway load balancer
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Gateway Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
gatewayLoadBalancers to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Gateway Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Active > Last Modified
The number of days since the AWS EC2 gateway load balancer
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Gateway Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Approved
Determine the action to take when an AWS EC2 gateway load balancer is not approved based on AWS > EC2 > Gateway Load Balancer > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Approved > Budget
The policy allows you to set gateway load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 gateway load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Gateway Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Approved > Custom
Determine whether the AWS EC2 gateway load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 gateway load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Gateway Load Balancer > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Approved > Regions
A list of AWS regions in which AWS EC2 gateway load balancers are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 gateway load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Gateway Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Gateway Load Balancer > Approved > Usage
Determine whether the AWS EC2 gateway load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 gateway load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Gateway Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Gateway Load Balancer > CMDB
Configure whether to record and synchronize details for the AWS EC2 gateway load balancer into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Gateway Load Balancer > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Gateway Load Balancer > Regions
A list of AWS regions in which AWS EC2 gateway load balancers are supported for use.
Any gateway load balancers in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerRegions
{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "ap-southeast-2", "eu-west-1", "sa-east-1", "us-east-1", "us-west-2" ] } ]}
AWS > EC2 > Gateway Load Balancer > Tags
Determine the action to take when an AWS EC2 gateway load balancer tags are not updated based on the AWS > EC2 > Gateway Load Balancer > Tags > *
policies.
The control ensure AWS EC2 gateway load balancer tags include tags defined in AWS > EC2 > Gateway Load Balancer > Tags > Template
.
Tags not defined in Gateway Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Tags > Template
The template is used to generate the keys and values for AWS EC2 gateway load balancer.
Tags not defined in Gateway Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Gateway Load Balancer > Usage
Configure the number of AWS EC2 gateway load balancers that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Gateway Load Balancer > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Gateway Load Balancer > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/gatewayLoadBalancerUsageLimit
{ "type": "integer", "minimum": 0, "default": 20}
AWS > EC2 > Instance > Active
Determine the action to take when an AWS EC2 instance, based on the AWS > EC2 > Instance > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Instance > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Instance > Active > Age
The age after which the AWS EC2 instance
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Instance > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Instance > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
instances to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Instance > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Instance > Active > Last Modified
The number of days since the AWS EC2 instance
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Instance > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Instance > Approved
Determine the action to take when an AWS EC2 instance is not approved based on AWS > EC2 > Instance > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceApproved
[ "Skip", "Check: Approved", "Enforce: Stop unapproved", "Enforce: Stop unapproved if new", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Stop unapproved", "Enforce: Stop unapproved if new", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Instance > Approved > Budget
The policy allows you to set instances to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 instance is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Instance > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Instance > Approved > Custom
Determine whether the AWS EC2 instance is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 instance is not approved, it will be subject to the action specified in the AWS > EC2 > Instance > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedCustom
{ "example": [ "Approved", { "result": "Approved" }, { "title": "InstanceState", "result": "Approved" }, { "title": "InstanceState", "message": "InstanceState is available", "result": "Approved" }, { "title": "InstanceType", "message": "InstanceType is not t3.nano", "result": "Not approved" }, [ { "title": "InstancePlatformDetails", "message": "Instance Platform is Linux/UNIX", "result": "Approved" }, { "title": "InstanceEbsOptimized", "message": "InstanceEbsOptimized is not true", "result": "Not approved" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Instance > Approved > Image
Determine whether Approved > Image checking is enable for the instance
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedImage
[ "Skip", "Approved if ImageId in Image > AMI IDs", "Approved if Owner in Image > Publishers", "Approved if ImageId in Image > AMI IDs or Owner in Image > Publishers", "Approved if ImageId in Image > AMI IDs and Owner in Image > Publishers"]
{ "type": "string", "enum": [ "Skip", "Approved if ImageId in Image > AMI IDs", "Approved if Owner in Image > Publishers", "Approved if ImageId in Image > AMI IDs or Owner in Image > Publishers", "Approved if ImageId in Image > AMI IDs and Owner in Image > Publishers" ], "default": "Skip"}
AWS > EC2 > Instance > Approved > Image > AMI IDs
A list of AMI IDs that are approved to be used to launch EC2 Instances.
The '*' wildcard may be used to allow all AMIs
Examples:
- ami-ff81a385
- ami-12345678
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedImageAmiIds
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^[a-z0-9.?*-]+$" }}
AWS > EC2 > Instance > Approved > Image > Publishers
A list of AWS Account ids who's images may be used to launch EC2 Instances. This list may contain:
- AWS Account IDs - Approve all images from the specified account
- local
- Approve local images (where the OwnerId
is the account id of the targeted instance)
- amazon
- Approve amazon images (where imageowneralias == amazon
)
- aws-marketplace
- Approve marketplace images (where imageowneralias == aws-marketplace
)
The '*' wildcard may be used to allow all AMIs from all publishers.
Examples:
- amazon # allow all images with amazon
ImageOwnerAlias
- 102837901569 # Allow all images from AWS Account 102837901569
- local # Allow all local images
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedImagePublishers
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^[a-z0-9.?*-]+$" }}
AWS > EC2 > Instance > Approved > Instance Types
A list of instance types that the AWS EC2 instance is approved to use.
The expected format is an array of instance types. You may use the *
and ?
wildcard characters (and more).
This policy will be evaluated by the Approved control. If an AWS EC2 instance is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Instance > Approved
policy.
See Approved for more information.
Note: It is recommended to include instance types in this policy in the AWS > EC2 > Permissions > Lockdown > Instance Types
policy as well, to ensure that the lockdown policy will not restrict these approved instance types.
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedInstanceTypes
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^[a-z0-9.?*]+$" }}
AWS > EC2 > Instance > Approved > Public IP
Determine whether the AWS EC2 instance is allowed to have a Public IP assigned.
This policy will be evaluated by the Approved control. If an AWS EC2 instance is not approved, it will be subject to the action specified in the AWS > EC2 > Instance > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedPublicIp
[ "Skip", "Approved if assigned", "Approved if not assigned"]
{ "type": "string", "enum": [ "Skip", "Approved if assigned", "Approved if not assigned" ], "example": [ "Approved if assigned" ], "default": "Skip"}
AWS > EC2 > Instance > Approved > Regions
A list of AWS regions in which AWS EC2 instances are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 instance is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Instance > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest
Define the Encryption at Rest settings required for `AWS > EC2 > Instance.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > *),
raises an alarm, and takes the defined enforcement action
tmod:@turbot/aws-ec2#/policy/types/rootVolumeEncryptionAtRest
[ "None", "None or higher", "AWS managed key", "AWS managed key or higher", "Customer managed key", "Encryption at Rest > Customer Managed Key"]
{ "type": "string", "enum": [ "None", "None or higher", "AWS managed key", "AWS managed key or higher", "Customer managed key", "Encryption at Rest > Customer Managed Key" ], "example": [ "None or higher" ], "default": "None or higher"}
AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest > Customer Managed Key
Define the KMS key ID for encryption at rest.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Instance > Root Volume Encryption at Rest > *),
raises an alarm, and takes the defined enforcement action
Please make sure the key defined in the template has required permissions.<br />example:<br /> alias/aws/ebs<br /> ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:alias/aws/ebs<br />
tmod:@turbot/aws-ec2#/policy/types/rootVolumeEncryptionAtRestCustomerManagedKey
"{\n defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"
"{{ $.defaultKey }}"
{ "anyOf": [ { "type": "string", "pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$" }, { "type": "string", "pattern": "^[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:alias/[a-zA-Z0-9:/_-]{1,249}$" } ], "tests": [ { "description": "valid - if keyArn", "input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasName", "input": "alias/aws/ebs" }, { "description": "valid - if keyId", "input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasArn", "input": "arn:aws:kms:us-east-1:039305405804:alias/aws/ebs" } ]}
AWS > EC2 > Instance > Approved > Usage
Determine whether the AWS EC2 instance is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 instance is not approved, it will be subject to the action specified in the AWS > EC2 > Instance > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Instance > CMDB
Configure whether to record and synchronize details for the AWS EC2 instance into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Instance > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/instanceCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Instance > CMDB > Attributes
A list of attributes to retrieve data for in the CMDB control.
Any properties that are enabled and then later disabled will be removed and no longer tracked for this resource.
Note: EnclaveOptions
attribute is now available by default in the CMDB data for AWS > EC2 > Instance
, hence the policy value EnclaveOptions
has been deprecated and will be removed in the next major version.
tmod:@turbot/aws-ec2#/policy/types/instanceCmdbAttributes
{ "type": "array", "items": { "type": "string", "enum": [ "DisableApiTermination", "EnclaveOptions", "InstanceInitiatedShutdownBehavior", "KernelId", "RamdiskId", "SriovNetSupport", "UserData" ] }, "default": [ "DisableApiTermination", "EnclaveOptions", "InstanceInitiatedShutdownBehavior", "KernelId", "RamdiskId", "SriovNetSupport", "UserData" ]}
AWS > EC2 > Instance > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/instanceConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Instance > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/instanceConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Instance > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/instanceConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Instance > Default Platform
Determine the default Instance platform.
tmod:@turbot/aws-ec2#/policy/types/instanceDefaultPlatform
"{\n instance {\n PlatformDetails: get(path: \"PlatformDetails\")\n ImagePlatformDetails: get(path: \"Image.PlatformDetails\")\n }\n}\n"
"'{%- if $.instance.ImagePlatformDetails -%}\n {{ $.instance.ImagePlatformDetails }}\n {%- elif $.instance.PlatformDetails -%}\n {{ $.instance.PlatformDetails }}\n {%- else -%}\n ""\n {%- endif -%}'\n"
{ "type": "string"}
AWS > EC2 > Instance > Detailed Monitoring
Define the Detailed Monitoring settings required for AWS > EC2 > Instance > Detailed Monitoring
.
If detailed monitoring is enabled then Amazon EC2 console displays monitoring graphs with a 1-minute period for the instance.
Note: Enabling detailed monitoring will incur additional charges.
tmod:@turbot/aws-ec2#/policy/types/instanceDetailedMonitoring
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Instance > Instance Profile
Determine whether the IAM instance profile is attached to AWS > EC2 > Instance.
tmod:@turbot/aws-ec2#/policy/types/instanceProfile
[ "Skip", "Check: Instance profile attached", "Check: Instance Profile > Name attached", "Enforce: Attach Instance Profile > Name"]
{ "type": "string", "enum": [ "Skip", "Check: Instance profile attached", "Check: Instance Profile > Name attached", "Enforce: Attach Instance Profile > Name" ], "example": [ "Check: Instance profile attached" ], "default": "Skip"}
AWS > EC2 > Instance > Instance Profile > Name
The IAM instance profile name to be attached to the AWS EC2 instance.
tmod:@turbot/aws-ec2#/policy/types/instanceProfileName
[ "{\n item: account {\n turbot {\n id\n }\n }\n}\n", "{\n serviceRoleDefaultEc2InstanceName: policyValue(resourceId:\"{{ $.item.turbot.id }}\" uri:\"tmod:@turbot/aws#/policy/types/serviceRolesDefaultEc2InstanceName\") {\n value\n }\n}\n"]
"{{ $.serviceRoleDefaultEc2InstanceName.value }}"
{ "type": "string"}
AWS > EC2 > Instance > Metadata Service
Instance metadata is data about your instance that you can use to configure or manage the running instance.
Instance metadata is divided into categories, for example, host name, events, and security groups.
Instance metadata can be accessed from a running instance using one of the following methods:
Instance Metadata Service Version 1 (IMDSv1) – a request/response method
Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
By default, you can use either IMDSv1 or IMDSv2, or both. However, the instance metadata service can be specifically
configured to use IMDSv2 on each instance. When you specify that IMDSv2 must be used, IMDSv1 no longer works.
tmod:@turbot/aws-ec2#/policy/types/instanceMetadataService
[ "Skip", "Check: Disabled", "Check: Enabled for V1 and V2", "Check: Enabled for V2 only", "Enforce: Disabled", "Enforce: Enabled for V1 and V2", "Enforce: Enabled for V2 only"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled for V1 and V2", "Check: Enabled for V2 only", "Enforce: Disabled", "Enforce: Enabled for V1 and V2", "Enforce: Enabled for V2 only" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit
The number of network hops that the metadata token can travel.
The larger the number, the further instance metadata requests can travel.
Maximum is 64.
tmod:@turbot/aws-ec2#/policy/types/instanceMetadataServiceTokenHopLimit
{ "type": "number", "minimum": 1, "maximum": 64, "default": 1}
AWS > EC2 > Instance > Regions
A list of AWS regions in which AWS EC2 instances are supported for use.
Any instances in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/instanceRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Instance > Schedule
Set a schedule for starting and stopping an AWS EC2 instance.
Note If both "Schedule" and "Schedule Tag" are set to enforce and the
instance has a turbot_custom_schedule tag, then the schedule specified by
the tag will be in effect.
tmod:@turbot/aws-ec2#/policy/types/instanceSchedule
[ "Skip", "Enforce: Business hours (8:00am - 6:00pm on weekdays)", "Enforce: Extended business hours (7:00am - 11:00pm on weekdays)", "Enforce: Stop for night (stop at 10:00pm every day)", "Enforce: Stop for weekend (stop at 10:00pm on Friday)"]
{ "type": "string", "enum": [ "Skip", "Enforce: Business hours (8:00am - 6:00pm on weekdays)", "Enforce: Extended business hours (7:00am - 11:00pm on weekdays)", "Enforce: Stop for night (stop at 10:00pm every day)", "Enforce: Stop for weekend (stop at 10:00pm on Friday)" ], "example": [ "Enforce: Business hours (8:00am - 6:00pm on weekdays)" ], "default": "Skip"}
AWS > EC2 > Instance > Schedule Tag
Allow setting a schedule for starting and stopping an EC2 instance via theAWS > EC2 > Instance > Schedule Tag > Name
tag. If the schedule is invalid, no actions will be
taken against the instance.
Note If both "Schedule" and "Schedule Tag" are set to enforce and the
instance has a AWS > EC2 > Instance > Schedule Tag > Name
tag, then the schedule specified by the
tag will be in effect.
tmod:@turbot/aws-ec2#/policy/types/instanceScheduleTag
[ "Skip", "Enforce: Schedule per turbot_custom_schedule tag"]
{ "type": "string", "enum": [ "Skip", "Enforce: Schedule per turbot_custom_schedule tag" ], "example": [ "Enforce: Schedule per turbot_custom_schedule tag" ], "default": "Skip"}
AWS > EC2 > Instance > Schedule Tag > Name
The Tag key which will be used to identify the Schedule for the instance.
tmod:@turbot/aws-ec2#/policy/types/instanceScheduleTagName
{ "type": "string", "default": "turbot_custom_schedule"}
AWS > EC2 > Instance > Tags
Determine the action to take when an AWS EC2 instance tags are not updated based on the AWS > EC2 > Instance > Tags > *
policies.
The control ensure AWS EC2 instance tags include tags defined in AWS > EC2 > Instance > Tags > Template
.
Tags not defined in Instance Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Instance > Tags > Inventory Collection
Configuring AWS > EC2 > Instance with default SSM inventory collection instance tags.
tmod:@turbot/aws-ec2#/policy/types/instanceTagsInventoryCollection
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": [ "Disabled" ], "default": "Disabled"}
AWS > EC2 > Instance > Tags > Template
The template is used to generate the keys and values for AWS EC2 instance.
Tags not defined in Instance Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/instanceTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Instance > Termination Protection
Define the Termination Protection settings required for AWS > EC2 > Instance > Termination Protection
.
It allows to prevent an instance from being terminated accidentally by someone using the AWS Management Console, the CLI, and the API.
tmod:@turbot/aws-ec2#/policy/types/instanceTerminationProtection
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Instance > Usage
Configure the number of AWS EC2 instances that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Instance > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/instanceUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Instance > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/instanceUsageLimit
{ "type": "integer", "minimum": 0, "default": 50}
AWS > EC2 > Key Pair > Active
Determine the action to take when an AWS EC2 key pair, based on the AWS > EC2 > Key Pair > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Key Pair > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Key Pair > Active > Age
The age after which the AWS EC2 key pair
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Key Pair > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Key Pair > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
keyPairs to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Key Pair > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Key Pair > Active > Last Modified
The number of days since the AWS EC2 key pair
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Key Pair > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Key Pair > Approved
Determine the action to take when an AWS EC2 key pair is not approved based on AWS > EC2 > Key Pair > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Key Pair > Approved > Budget
The policy allows you to set key pairs to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 key pair is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Key Pair > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Key Pair > Approved > Custom
Determine whether the AWS EC2 key pair is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 key pair is not approved, it will be subject to the action specified in the AWS > EC2 > Key Pair > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/keyPairApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Key Pair > Approved > Regions
A list of AWS regions in which AWS EC2 key pairs are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 key pair is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Key Pair > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Key Pair > Approved > Usage
Determine whether the AWS EC2 key pair is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 key pair is not approved, it will be subject to the action specified in the AWS > EC2 > Key Pair > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Key Pair > CMDB
Configure whether to record and synchronize details for the AWS EC2 key pair into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB. All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-ec2#/policy/types/keyPairCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Key Pair > Regions
A list of AWS regions in which AWS EC2 key pairs are supported for use.
Any key pairs in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/keyPairRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Key Pair > Tags
Determine the action to take when an AWS EC2 key pair tags are not updated based on the AWS > EC2 > Key Pair > Tags > *
policies.
The control ensure AWS EC2 key pair tags include tags defined in AWS > EC2 > Key Pair > Tags > Template
.
Tags not defined in Key Pair Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Key Pair > Tags > Template
The template is used to generate the keys and values for AWS EC2 key pair.
Tags not defined in Key Pair Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/keyPairTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Key Pair > Usage
Configure the number of AWS EC2 key pairs that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Key Pair > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/keyPairUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Key Pair > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/keyPairUsageLimit
{ "type": "integer", "minimum": 0, "default": 5000}
AWS > EC2 > Launch Configuration > Active
Determine the action to take when an AWS EC2 launch configuration, based on the AWS > EC2 > Launch Configuration > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Configuration > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Launch Configuration > Active > Age
The age after which the AWS EC2 launch configuration
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Configuration > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Launch Configuration > Active > Last Modified
The number of days since the AWS EC2 launch configuration
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Configuration > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Launch Configuration > Approved
Determine the action to take when an AWS EC2 launch configuration is not approved based on AWS > EC2 > Launch Configuration > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Launch Configuration > Approved > Custom
Determine whether the AWS EC2 launch configuration is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 launch configuration is not approved, it will be subject to the action specified in the AWS > EC2 > Launch Configuration > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Launch Configuration > Approved > Regions
A list of AWS regions in which AWS EC2 launch configurations are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 launch configuration is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Launch Configuration > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Launch Configuration > Approved > Usage
Determine whether the AWS EC2 launch configuration is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 launch configuration is not approved, it will be subject to the action specified in the AWS > EC2 > Launch Configuration > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Launch Configuration > CMDB
Configure whether to record and synchronize details for the AWS EC2 launch configuration into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Launch Configuration > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Launch Configuration > Regions
A list of AWS regions in which AWS EC2 launch configurations are supported for use.
Any launch configurations in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Launch Configuration > Usage
Configure the number of AWS EC2 launch configurations that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Launch Configuration > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Launch Configuration > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/launchConfigurationUsageLimit
{ "type": "integer", "minimum": 0, "default": 200}
AWS > EC2 > Launch Template > Active
Determine the action to take when an AWS EC2 launch template, based on the AWS > EC2 > Launch Template > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Launch Template > Active > Age
The age after which the AWS EC2 launch template
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Launch Template > Active > Last Modified
The number of days since the AWS EC2 launch template
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Launch Template > Approved
Determine the action to take when an AWS EC2 launch template is not approved based on AWS > EC2 > Launch Template > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Launch Template > Approved > Custom
Determine whether the AWS EC2 launch template is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 launch template is not approved, it will be subject to the action specified in the AWS > EC2 > Launch Template > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Launch Template > Approved > Regions
A list of AWS regions in which AWS EC2 launch templates are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 launch template is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Launch Template > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Launch Template > Approved > Usage
Determine whether the AWS EC2 launch template is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 launch template is not approved, it will be subject to the action specified in the AWS > EC2 > Launch Template > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Launch Template > CMDB
Configure whether to record and synchronize details for the AWS EC2 launch template into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Launch Template > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/launchTemplateCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Launch Template > Regions
A list of AWS regions in which AWS EC2 launch templates are supported for use.
Any launch templates in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Launch Template > Tags
Determine the action to take when an AWS EC2 launch template tags are not updated based on the AWS > EC2 > Launch Template > Tags > *
policies.
The control ensure AWS EC2 launch template tags include tags defined in AWS > EC2 > Launch Template > Tags > Template
.
Tags not defined in Launch Template Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Launch Template > Tags > Template
The template is used to generate the keys and values for AWS EC2 launch template.
Tags not defined in Launch Template Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Launch Template > Usage
Configure the number of AWS EC2 launch templates that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Launch Template > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Launch Template > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateUsageLimit
{ "type": "integer", "minimum": 0, "default": 5000}
AWS > EC2 > Launch Template Version > Active
Determine the action to take when an AWS EC2 launch template version, based on the AWS > EC2 > Launch Template Version > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template Version > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Launch Template Version > Active > Age
The age after which the AWS EC2 launch template version
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template Version > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Launch Template Version > Active > Last Modified
The number of days since the AWS EC2 launch template version
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Launch Template Version > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Launch Template Version > Approved
Determine the action to take when an AWS EC2 launch template version is not approved based on AWS > EC2 > Launch Template Version > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Launch Template Version > Approved > Custom
Determine whether the AWS EC2 launch template version is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 launch template version is not approved, it will be subject to the action specified in the AWS > EC2 > Launch Template Version > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Launch Template Version > Approved > Regions
A list of AWS regions in which AWS EC2 launch template versions are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 launch template version is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Launch Template Version > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Launch Template Version > Approved > Usage
Determine whether the AWS EC2 launch template version is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 launch template version is not approved, it will be subject to the action specified in the AWS > EC2 > Launch Template Version > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Launch Template Version > CMDB
Configure whether to record and synchronize details for the AWS EC2 launch template version into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Launch Template Version > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Launch Template Version > Regions
A list of AWS regions in which AWS EC2 launch template versions are supported for use.
Any launch template versions in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Launch Template Version > Usage
Configure the number of AWS EC2 launch template versions that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Launch Template Version > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Launch Template Version > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionUsageLimit
{ "type": "integer", "minimum": 0, "default": 50000000}
AWS > EC2 > Listener Rule > Active
Determine the action to take when an AWS EC2 listener rule, based on the AWS > EC2 > Listener Rule > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Listener Rule > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Listener Rule > Active > Age
The age after which the AWS EC2 listener rule
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Listener Rule > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Listener Rule > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
listenerRules to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Listener Rule > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Listener Rule > Active > Last Modified
The number of days since the AWS EC2 listener rule
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Listener Rule > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Listener Rule > Approved
Determine the action to take when an AWS EC2 listener rule is not approved based on AWS > EC2 > Listener Rule > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Listener Rule > Approved > Budget
The policy allows you to set listener rules to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 listener rule is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Listener Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Listener Rule > Approved > Custom
Determine whether the AWS EC2 listener rule is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 listener rule is not approved, it will be subject to the action specified in the AWS > EC2 > Listener Rule > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Listener Rule > Approved > Regions
A list of AWS regions in which AWS EC2 listener rules are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 listener rule is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Listener Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Listener Rule > Approved > Usage
Determine whether the AWS EC2 listener rule is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 listener rule is not approved, it will be subject to the action specified in the AWS > EC2 > Listener Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Listener Rule > CMDB
Configure whether to record and synchronize details for the AWS EC2 listener rule into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Listener Rule > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/listenerRuleCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Listener Rule > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/listenerRuleConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Listener Rule > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Listener Rule > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/listenerRuleConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Listener Rule > Regions
A list of AWS regions in which AWS EC2 listener rules are supported for use.
Any listener rules in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Listener Rule > Usage
Configure the number of AWS EC2 listener rules that can be used for this applicationLoadBalancer and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Listener Rule > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Listener Rule > Usage > Limit
Maximum number of items that can be created for this applicationLoadBalancer.
tmod:@turbot/aws-ec2#/policy/types/listenerRuleUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
AWS > EC2 > Load Balancer Listener > Active
Determine the action to take when an AWS EC2 load balancer listener, based on the AWS > EC2 > Load Balancer Listener > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Load Balancer Listener > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Load Balancer Listener > Active > Age
The age after which the AWS EC2 load balancer listener
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Load Balancer Listener > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Load Balancer Listener > Active > Last Modified
The number of days since the AWS EC2 load balancer listener
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Load Balancer Listener > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Load Balancer Listener > Approved
Determine the action to take when an AWS EC2 load balancer listener is not approved based on AWS > EC2 > Load Balancer Listener > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Load Balancer Listener > Approved > Custom
Determine whether the AWS EC2 Load Balancer Listener is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Load Balancer Listener > Approved > Ports
Determine whether the AWS EC2 Load Balancer Listener is allowed to have a port assigned.
This policy will be evaluated by the Approved control. If an AWS EC2 load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved
policy.
See Approved for more information.
Example<br /> - 443<br /> - 1001-65535<br /> - 80<br /> - 400-999<br />
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerApprovedPorts
{ "type": "array", "items": { "type": "string" }, "default": [ "1-65535" ]}
AWS > EC2 > Load Balancer Listener > Approved > Protocols
Determine whether the AWS EC2 Load Balancer Listener is allowed to have a protocol assigned.
This policy will be evaluated by the Approved control. If an AWS EC2 load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerApprovedProtocols
{ "type": "array", "items": { "type": "string", "enum": [ "HTTP", "HTTPS", "TCP", "TLS", "UDP", "TCP_UDP" ] }, "default": [ "HTTP", "HTTPS", "TCP", "TLS", "UDP", "TCP_UDP" ]}
AWS > EC2 > Load Balancer Listener > Approved > Regions
A list of AWS regions in which AWS EC2 load balancer listeners are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 load balancer listener is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Load Balancer Listener > Approved > Usage
Determine whether the AWS EC2 load balancer listener is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 load balancer listener is not approved, it will be subject to the action specified in the AWS > EC2 > Load Balancer Listener > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Load Balancer Listener > CMDB
Configure whether to record and synchronize details for the AWS EC2 load balancer listener into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Load Balancer Listener > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Load Balancer Listener > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Load Balancer Listener > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Load Balancer Listener > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Load Balancer Listener > Regions
A list of AWS regions in which AWS EC2 load balancer listeners are supported for use.
Any load balancer listeners in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Load Balancer Listener > SSL Policy
Determine the action to take when an AWS EC2 load balancer listener is not using an allowed SSL policy.
If a load balancer listener is not using an allowed SSL policy and this policy is set to Enforce: Set to SSL Policy > Default
, the load balancer listener will be updated to use the SSL policy selected in the AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
policy.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerSslPolicy
[ "Skip", "Check: Set in SSL Policy > Allowed", "Enforce: Set to SSL Policy > Default"]
{ "type": "string", "enum": [ "Skip", "Check: Set in SSL Policy > Allowed", "Enforce: Set to SSL Policy > Default" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
A list of AWS SSL policies that the AWS EC2 load balancer listener is allowed to use.
For a complete list of SSL policies and which ciphers and protocols they support, please see Security policies.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerSslPolicyAllowed
{ "type": "array", "items": { "type": "string", "enum": [ "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06" ] }, "default": [ "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06" ]}
AWS > EC2 > Load Balancer Listener > SSL Policy > Default
Define the default AWS SSL policy the AWS EC2 load balancer listener should use if it's not currently using an allowed SSL policy.
The SSL policy selected in this policy should also be allowed in the AWS > EC2 > Load Balancer Listener > SSL Policy > Allowed
policy, else the control will move into an invalid
state while trying to enforce this policy.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerSslPolicyDefault
[ "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06"]
{ "type": "string", "enum": [ "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06" ], "example": [ "ELBSecurityPolicy-2016-08" ], "default": "ELBSecurityPolicy-2016-08"}
AWS > EC2 > Load Balancer Listener > Usage
Configure the number of AWS EC2 load balancer listeners that can be used for this applicationLoadBalancer and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Load Balancer Listener > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Load Balancer Listener > Usage > Limit
Maximum number of items that can be created for this applicationLoadBalancer.
tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerUsageLimit
{ "type": "integer", "minimum": 0, "default": 50}
AWS > EC2 > Network Interface > Active
Determine the action to take when an AWS EC2 network interface, based on the AWS > EC2 > Network Interface > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Interface > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Network Interface > Active > Age
The age after which the AWS EC2 network interface
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Interface > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Network Interface > Active > Attached
Determine whether the Network Interface is active, based on whether it is attached to any other resource types.
The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the resource (AWS > EC2 > Network Interface > Active > *
), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceActiveAttached
[ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached"]
{ "type": "string", "enum": [ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Network Interface > Active > Last Modified
The number of days since the AWS EC2 network interface
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Interface > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Network Interface > Approved
Determine the action to take when an AWS EC2 network interface is not approved based on AWS > EC2 > Network Interface > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Network Interface > Approved > Custom
Determine whether the AWS EC2 network interface is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 network interface is not approved, it will be subject to the action specified in the AWS > EC2 > Network Interface > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Network Interface > Approved > Regions
A list of AWS regions in which AWS EC2 network interfaces are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 network interface is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Network Interface > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Network Interface > Approved > Usage
Determine whether the AWS EC2 network interface is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 network interface is not approved, it will be subject to the action specified in the AWS > EC2 > Network Interface > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Network Interface > CMDB
Configure whether to record and synchronize details for the AWS EC2 network interface into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Network Interface > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Network Interface > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Network Interface > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Network Interface > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Network Interface > Regions
A list of AWS regions in which AWS EC2 network interfaces are supported for use.
Any network interfaces in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Network Interface > Tags
Determine the action to take when an AWS EC2 network interface tags are not updated based on the AWS > EC2 > Network Interface > Tags > *
policies.
The control ensure AWS EC2 network interface tags include tags defined in AWS > EC2 > Network Interface > Tags > Template
.
Tags not defined in Network Interface Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Network Interface > Tags > Template
The template is used to generate the keys and values for AWS EC2 network interface.
Tags not defined in Network Interface Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Network Interface > Usage
Configure the number of AWS EC2 network interfaces that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Network Interface > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Network Interface > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/networkInterfaceUsageLimit
{ "type": "integer", "minimum": 0, "default": 5000}
AWS > EC2 > Network Load Balancer > Access Logging
Define the Access Logging settings required for AWS > EC2 > Network Load Balancer
.AWS > EC2 > Network Load Balancer
provides access logs that capture
detailed information about requests sent to your load
balancer. Each log contains information such as the time the
request was received, the client's IP address, latencies,
request paths, and server responses. You can use these
access logs to analyze traffic patterns and troubleshoot
issues.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerAccessLogging
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Access Logging > Bucket
The name of an S3 Bucket to which the Bucket
access logs will be delivered.
The S3 Bucket must already exist and the S3 service must be allowed write access.
The bucket can reside in any account but must be in the same region as the Load Balancer.
example:<br /> testbucket<br /> turbotbucket<br />
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerAccessLoggingBucket
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
"{% if $.turbotLoggingBucket %}"{{ $.turbotLoggingBucket }}"{% else %}""{% endif %}"
{ "type": "string", "pattern": "^[a-zA-Z0-9._-]{1,255}$"}
AWS > EC2 > Network Load Balancer > Access Logging > Key Prefix
An optional S3 key prefix to which the AWS > EC2 > Network Load Balancer
access logs will be written.
The file names of the access logs use the following format:bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerAccessLoggingKeyPrefix
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}
AWS > EC2 > Network Load Balancer > Active
Determine the action to take when an AWS EC2 network load balancer, based on the AWS > EC2 > Network Load Balancer > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Load Balancer > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Active > Age
The age after which the AWS EC2 network load balancer
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
networkLoadBalancers to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Active > Last Modified
The number of days since the AWS EC2 network load balancer
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Network Load Balancer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Approved
Determine the action to take when an AWS EC2 network load balancer is not approved based on AWS > EC2 > Network Load Balancer > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Approved > Budget
The policy allows you to set network load balancers to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 network load balancer is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Network Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Approved > Custom
Determine whether the AWS EC2 network load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 network load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Network Load Balancer > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Approved > Regions
A list of AWS regions in which AWS EC2 network load balancers are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 network load balancer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Network Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Network Load Balancer > Approved > Usage
Determine whether the AWS EC2 network load balancer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 network load balancer is not approved, it will be subject to the action specified in the AWS > EC2 > Network Load Balancer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Network Load Balancer > CMDB
Configure whether to record and synchronize details for the AWS EC2 network load balancer into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Network Load Balancer > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Network Load Balancer > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Network Load Balancer > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Network Load Balancer > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Network Load Balancer > Regions
A list of AWS regions in which AWS EC2 network load balancers are supported for use.
Any network load balancers in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Network Load Balancer > Tags
Determine the action to take when an AWS EC2 network load balancer tags are not updated based on the AWS > EC2 > Network Load Balancer > Tags > *
policies.
The control ensure AWS EC2 network load balancer tags include tags defined in AWS > EC2 > Network Load Balancer > Tags > Template
.
Tags not defined in Network Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Tags > Template
The template is used to generate the keys and values for AWS EC2 network load balancer.
Tags not defined in Network Load Balancer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Network Load Balancer > Usage
Configure the number of AWS EC2 network load balancers that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Network Load Balancer > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Network Load Balancer > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerUsageLimit
{ "type": "integer", "minimum": 0, "default": 20}
AWS > EC2 > Permissions
Configure whether permissions policies are in effect for AWS EC2.
This setting does not affect account level permissions (AWS/Admin, AWS/Owner, etc).
Note: The behavior of this policy depends on the value of AWS > Permissions.
tmod:@turbot/aws-ec2#/policy/types/ec2Permissions
[ "Enabled", "Disabled", "Enabled if AWS > EC2 > Enabled & AWS > EC2 > API Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > EC2 > Enabled & AWS > EC2 > API Enabled" ], "example": [ "Enabled" ], "default": "Enabled if AWS > EC2 > Enabled & AWS > EC2 > API Enabled"}
AWS > EC2 > Permissions > Levels
Define the permissions levels that can be used to grant access to an AWS account.
Permissions levels defined will appear in the UI to assign access to Guardrails users.
This policy provides a default for Permissions > Levels in each service, however
you can explicitly override the setting for each service if desired
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLevels
[ "{\n item: account {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
AWS > EC2 > Permissions > Levels > Ami Publishing Administration
Determines which Guardrails permissions level can manage AMI Publishing Administration.
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLevelsAmiPublishingAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > EC2 > Permissions > Levels > Auto Scaling Administration
Determines which Guardrails permissions level can manage Auto Scaling Administration.
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLevelsAutoScalingAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > EC2 > Permissions > Levels > Local Amis Administration
Determines which Guardrails permissions level can manage Local AMIs Administration.
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLevelsLocalAmisAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > EC2 > Permissions > Levels > Marketplace Subscription Administration
Determines which Guardrails permissions level can manage Marketplace Subscription Administration.
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLevelsMarketplaceSubscriptionAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > EC2 > Permissions > Levels > Modifiers
A map of AWS API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of AWS API operations to Guardrails permissions levels here.
Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also
added to ReadOnly, Operator and Admin. Modifier policies set here apply ONLY to the AWS level.<br />example:<br /> - "glacier:createvault": admin<br /> - "glacier:ListVaults": metadata<br /> - "s3:DeleteBucket": none<br />
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLevelsModifiers
AWS > EC2 > Permissions > Lockdown
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdown
AWS > EC2 > Permissions > Lockdown > API Boundary
Configure whether the AWS ec2 API is enabled for all
users and roles in guardrails-managed boundary policies.
Note: Disabling the service disables the API for ALL users
and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownApiBoundary
[ "Enabled if AWS > EC2 > API Enabled"]
{ "type": "string", "enum": [ "Enabled if AWS > EC2 > API Enabled" ], "example": [ "Enabled if AWS > EC2 > API Enabled" ], "default": "Enabled if AWS > EC2 > API Enabled"}
AWS > EC2 > Permissions > Lockdown > Instance
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstance
AWS > EC2 > Permissions > Lockdown > Instance > Image
Configure whether lockdown policies are enabled to prohibit launching
instance from unapproved AMIs. If enabled, instances will only be
allowed to be launched if they are trusted, per the AMI IDs
and/orPublishers
sub-policies.
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImage
[ "Lockdown Disabled", "Lockdown Enabled: Allow Image > AMI IDs only", "Lockdown Enabled: Allow Image > Publishers only", "Lockdown Enabled: Allow Image > AMI IDs or Image > Publishers", "Lockdown Enabled: Allow Image > AMI IDs from Image > Publishers"]
{ "type": "string", "enum": [ "Lockdown Disabled", "Lockdown Enabled: Allow Image > AMI IDs only", "Lockdown Enabled: Allow Image > Publishers only", "Lockdown Enabled: Allow Image > AMI IDs or Image > Publishers", "Lockdown Enabled: Allow Image > AMI IDs from Image > Publishers" ], "default": "Lockdown Disabled"}
AWS > EC2 > Permissions > Lockdown > Instance > Image > AMI IDs
A list of AMI IDs that are approved to be used to launch EC2 Instances.
The '*' wildcard may be used to allow all AMIs
Examples:
- ami-ff81a385
- ami-12345678
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImageAmiIds
AWS > EC2 > Permissions > Lockdown > Instance > Image > Publishers
A list of AWS Account ids who's images may be used to launch EC2 Instances.
This list may contain:
- AWS Account IDs - Approve all images from the specified account
- local
- Approve local images (where the OwnerId
is the account id of the targeted instance)
- amazon
- Approve amazon images (where imageowneralias == amazon
)
- aws-marketplace
- Approve marketplace images (where imageowneralias == aws-marketplace
)
The '*' wildcard may be used to allow all AMIs from all publishers
Examples:
- amazon # allow all images with amazon
ImageOwnerAlias
- 102837901569 # Allow all images from AWS Account 102837901569
- local # Allow all local images
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImagePublishers
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^[a-z0-9-.?*]+$" }}
AWS > EC2 > Permissions > Lockdown > Instance Types
Configure whether lockdown policies are enabled to prohibit modification of Instance Types.
Note: It is recommended to include instance types from all AWS > EC2 > Instance > Approved > Instance Types
policy settings to ensure that this lockdown policy will not restrict any approved instance types.
Example:<br /> - t2.micro<br /> - t2.small<br /> - d2.xlarge<br />
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceTypes
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^[a-z0-9.?*]+$" }}
AWS > EC2 > Permissions > Lockdown > Volume Types
Configure whether lockdown policies are enabled to prohibit modification of Volume Types.
Note: It is recommended to include volume types from all AWS > EC2 > Volume > Approved > Volume Types
policy settings to ensure that this lockdown policy will not restrict any approved volume types.
Example:<br /> - sc1<br /> - standard<br /> - gp2<br />
tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownVolumeTypes
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^[a-z0-9.?*]+$" }}
AWS > EC2 > Regions
A list of AWS regions in which AWS EC2 resources are supported for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all AWS EC2 resources' Regions policies.
tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/regionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Snapshot > Active
Determine the action to take when an AWS EC2 snapshot, based on the AWS > EC2 > Snapshot > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Snapshot > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Snapshot > Active > Age
The age after which the AWS EC2 snapshot
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Snapshot > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Snapshot > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
snapshots to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Snapshot > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Snapshot > Active > Last Modified
The number of days since the AWS EC2 snapshot
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Snapshot > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Snapshot > Approved
Determine the action to take when an AWS EC2 snapshot is not approved based on AWS > EC2 > Snapshot > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Snapshot > Approved > Budget
The policy allows you to set snapshots to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 snapshot is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Snapshot > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Snapshot > Approved > Custom
Determine whether the AWS EC2 snapshot is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 snapshot is not approved, it will be subject to the action specified in the AWS > EC2 > Snapshot > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/snapshotApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Snapshot > Approved > Encryption at Rest
Define the Encryption at Rest settings required for AWS > EC2 > Snapshot
.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Snapshot > Encryption at Rest > *
),
raises an alarm, and takes the defined enforcement action
tmod:@turbot/aws-ec2#/policy/types/snapshotEncryptionAtRest
[ "None", "None or higher", "AWS managed key", "AWS managed key or higher", "Customer managed key", "Encryption at Rest > Customer Managed Key"]
{ "type": "string", "enum": [ "None", "None or higher", "AWS managed key", "AWS managed key or higher", "Customer managed key", "Encryption at Rest > Customer Managed Key" ], "example": [ "None or higher" ], "default": "None or higher"}
AWS > EC2 > Snapshot > Approved > Encryption at Rest > Customer Managed Key
Define the KMS key ID for encryption at rest.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Snapshot > Encryption at Rest > *
),
raises an alarm, and takes the defined enforcement action
Please make sure the key defined in the template has required permissions.<br />example:<br /> alias/aws/ebs<br /> ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:alias/aws/ebs<br />
tmod:@turbot/aws-ec2#/policy/types/snapshotEncryptionAtRestCustomerManagedKey
"{\n defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"
"{{ $.defaultKey }}"
{ "anyOf": [ { "type": "string", "pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$" }, { "type": "string", "pattern": "^[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:alias/[a-zA-Z0-9:/_-]{1,249}$" } ], "tests": [ { "description": "valid - if keyArn", "input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasName", "input": "alias/aws/ebs" }, { "description": "valid - if keyId", "input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasArn", "input": "arn:aws:kms:us-east-1:039305405804:alias/aws/ebs" } ]}
AWS > EC2 > Snapshot > Approved > Regions
A list of AWS regions in which AWS EC2 snapshots are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 snapshot is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Snapshot > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Snapshot > Approved > Usage
Determine whether the AWS EC2 snapshot is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 snapshot is not approved, it will be subject to the action specified in the AWS > EC2 > Snapshot > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Snapshot > CMDB
Configure whether to record and synchronize details for the AWS EC2 snapshot into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Snapshot > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/snapshotCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Snapshot > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/snapshotConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Snapshot > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/snapshotConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Snapshot > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/snapshotConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Snapshot > Regions
A list of AWS regions in which AWS EC2 snapshots are supported for use.
Any snapshots in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/snapshotRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Snapshot > Tags
Determine the action to take when an AWS EC2 snapshot tags are not updated based on the AWS > EC2 > Snapshot > Tags > *
policies.
The control ensure AWS EC2 snapshot tags include tags defined in AWS > EC2 > Snapshot > Tags > Template
.
Tags not defined in Snapshot Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Snapshot > Tags > Template
The template is used to generate the keys and values for AWS EC2 snapshot.
Tags not defined in Snapshot Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/snapshotTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Snapshot > Trusted Access
Manage trusted access for AWS EC2 Snapshots.
AWS allows EC2 Snapshots to be shared with specific AWS accounts.
This policy allows you to configure whether such sharing is allowed, and to which accounts.
If set to Enforce
, access to non-trusted accounts will be removed.
tmod:@turbot/aws-ec2#/policy/types/snapshotTrustedAccess
[ "Skip", "Check: Trusted Access > Accounts", "Enforce: Trusted Access > Accounts"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access > Accounts", "Enforce: Trusted Access > Accounts" ], "example": [ "Check: Trusted Access > Accounts" ], "default": "Skip"}
AWS > EC2 > Snapshot > Trusted Access > Accounts
A list of AWS account IDs that are allowed to have access
tmod:@turbot/aws-ec2#/policy/types/snapshotTrustedAccessAccounts
"{\n accounts: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2TrustedAccounts\")\n}\n"
"{% if $.accounts | length == 0 %}[]{% endif %}{% for item in $.accounts %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^[0-9]{12}$|^\\*$|^all$)" }}
AWS > EC2 > Snapshot > Usage
Configure the number of AWS EC2 snapshots that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Snapshot > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/snapshotUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Snapshot > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/snapshotUsageLimit
{ "type": "integer", "minimum": 0, "default": 1000}
AWS > EC2 > Tags Template [Default]
A template used to generate the keys and values for AWS EC2 resources.
By default, all EC2 resource Tags > Template policies will use this value.
tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws#/policy/types/defaultTagsTemplate\") {\n value\n }\n}\n"
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Target Group > Active
Determine the action to take when an AWS EC2 target group, based on the AWS > EC2 > Target Group > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Target Group > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Target Group > Active > Age
The age after which the AWS EC2 target group
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Target Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Target Group > Active > Last Modified
The number of days since the AWS EC2 target group
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Target Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Target Group > Approved
Determine the action to take when an AWS EC2 target group is not approved based on AWS > EC2 > Target Group > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Target Group > Approved > Custom
Determine whether the AWS EC2 target group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 target group is not approved, it will be subject to the action specified in the AWS > EC2 > Target Group > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/targetGroupApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Target Group > Approved > Regions
A list of AWS regions in which AWS EC2 target groups are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 target group is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Target Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Target Group > Approved > Usage
Determine whether the AWS EC2 target group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 target group is not approved, it will be subject to the action specified in the AWS > EC2 > Target Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Target Group > CMDB
Configure whether to record and synchronize details for the AWS EC2 target group into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Target Group > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/targetGroupCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Target Group > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/targetGroupConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Target Group > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/targetGroupConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Target Group > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/targetGroupConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Target Group > Regions
A list of AWS regions in which AWS EC2 target groups are supported for use.
Any target groups in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/targetGroupRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Target Group > Tags
Determine the action to take when an AWS EC2 target group tags are not updated based on the AWS > EC2 > Target Group > Tags > *
policies.
The control ensure AWS EC2 target group tags include tags defined in AWS > EC2 > Target Group > Tags > Template
.
Tags not defined in Target Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Target Group > Tags > Template
The template is used to generate the keys and values for AWS EC2 target group.
Tags not defined in Target Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/targetGroupTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Target Group > Usage
Configure the number of AWS EC2 target groups that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Target Group > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/targetGroupUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Target Group > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/targetGroupUsageLimit
{ "type": "integer", "minimum": 0, "default": 3000}
AWS > EC2 > Trusted Accounts [Default]
List of AWS Accounts that are trusted for access in the AWS EC2 policy.
This policy is used by the Trusted Access
control to determine which members of type "account" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "013122550996"<br /> - "560741234067"<br />
Note: Setting the policy to Empty
array will remove all accounts.
tmod:@turbot/aws-ec2#/policy/types/ec2TrustedAccounts
"{\n trustedAccounts: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedAccounts\") {\n value\n }\n}\n"
"{% if $.trustedAccounts.value | length == 0 %}[]{% else %}{% for item in $.trustedAccounts.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string", "pattern": "^[0-9]{12}|^\\*$" }}
AWS > EC2 > Volume > Active
Determine the action to take when an AWS EC2 volume, based on the AWS > EC2 > Volume > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Volume > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeActive
[ "Skip", "Check: Active", "Enforce: Detach, snapshot and delete inactive with 1 day warning", "Enforce: Detach, snapshot and delete inactive with 3 days warning", "Enforce: Detach, snapshot and delete inactive with 7 days warning", "Enforce: Detach, snapshot and delete inactive with 14 days warning", "Enforce: Detach, snapshot and delete inactive with 30 days warning", "Enforce: Detach, snapshot and delete inactive with 60 days warning", "Enforce: Detach, snapshot and delete inactive with 90 days warning", "Enforce: Detach, snapshot and delete inactive with 180 days warning", "Enforce: Detach, snapshot and delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Detach, snapshot and delete inactive with 1 day warning", "Enforce: Detach, snapshot and delete inactive with 3 days warning", "Enforce: Detach, snapshot and delete inactive with 7 days warning", "Enforce: Detach, snapshot and delete inactive with 14 days warning", "Enforce: Detach, snapshot and delete inactive with 30 days warning", "Enforce: Detach, snapshot and delete inactive with 60 days warning", "Enforce: Detach, snapshot and delete inactive with 90 days warning", "Enforce: Detach, snapshot and delete inactive with 180 days warning", "Enforce: Detach, snapshot and delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > EC2 > Volume > Active > Age
The age after which the AWS EC2 volume
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Volume > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > EC2 > Volume > Active > Attached
Determine whether the Volume is active, based on whether it is attached to any other resource types.
The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the resource (AWS > EC2 > Volume > Active > *
), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.
tmod:@turbot/aws-ec2#/policy/types/volumeActiveAttached
[ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached"]
{ "type": "string", "enum": [ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Volume > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
volumes to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Volume > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > EC2 > Volume > Active > Last Modified
The number of days since the AWS EC2 volume
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > EC2 > Volume > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > EC2 > Volume > Approved
Determine the action to take when an AWS EC2 volume is not approved based on AWS > EC2 > Volume > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeApproved
[ "Skip", "Check: Approved", "Enforce: Detach unapproved if new", "Enforce: Detach, snapshot and delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Detach unapproved if new", "Enforce: Detach, snapshot and delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > EC2 > Volume > Approved > Budget
The policy allows you to set volumes to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS EC2 volume is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Volume > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > EC2 > Volume > Approved > Custom
Determine whether the AWS EC2 volume is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 volume is not approved, it will be subject to the action specified in the AWS > EC2 > Volume > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-ec2#/policy/types/volumeApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > EC2 > Volume > Approved > Encryption at Rest
Define the Encryption at Rest settings required for AWS > EC2 > Volume
.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Volume > Encryption at Rest > *
),
raises an alarm, and takes the defined enforcement action
tmod:@turbot/aws-ec2#/policy/types/volumeEncryptionAtRest
[ "None", "None or higher", "AWS managed key", "AWS managed key or higher", "Customer managed key", "Encryption at Rest > Customer Managed Key"]
{ "type": "string", "enum": [ "None", "None or higher", "AWS managed key", "AWS managed key or higher", "Customer managed key", "Encryption at Rest > Customer Managed Key" ], "example": [ "None or higher" ], "default": "None or higher"}
AWS > EC2 > Volume > Approved > Encryption at Rest > Customer Managed Key
Define the KMS key ID for encryption at rest.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > EC2 > Volume > Encryption at Rest > *
),
raises an alarm, and takes the defined enforcement action
Please make sure the key defined in the template has required permissions.<br />example:<br /> alias/aws/ebs<br /> ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:alias/aws/ebs<br />
tmod:@turbot/aws-ec2#/policy/types/volumeEncryptionAtRestCustomerManagedKey
"{\n defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"
"{{ $.defaultKey }}"
{ "anyOf": [ { "type": "string", "pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$" }, { "type": "string", "pattern": "^[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:alias/[a-zA-Z0-9:/_-]{1,249}$" } ], "tests": [ { "description": "valid - if keyArn", "input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasName", "input": "alias/aws/ebs" }, { "description": "valid - if keyId", "input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasArn", "input": "arn:aws:kms:us-east-1:039305405804:alias/aws/ebs" } ]}
AWS > EC2 > Volume > Approved > Regions
A list of AWS regions in which AWS EC2 volumes are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS EC2 volume is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > EC2 > Volume > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-ec2#/policy/types/ec2ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Volume > Approved > Usage
Determine whether the AWS EC2 volume is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS EC2 volume is not approved, it will be subject to the action specified in the AWS > EC2 > Volume > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > EC2 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > EC2 > Enabled"}
AWS > EC2 > Volume > Approved > Volume Types
A list of volume types that the AWS EC2 volume is approved to use.
The expected format is an array of volume types. You may use the *
and ?
wildcard characters (and more).
This policy will be evaluated by the Approved control. If an AWS EC2 volume is not matched by the approved list, it will be subject to the action specified in the AWS > EC2 > Volume > Approved
policy.
See Approved for more information.
Note: It is recommended to include volume types in this policy in the AWS > EC2 > Permissions > Lockdown > Volume Types
policy as well, to ensure that the lockdown policy will not restrict these approved volume types.
tmod:@turbot/aws-ec2#/policy/types/volumeApprovedVolumeTypes
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "^[a-z0-9.?*]+$" }}
AWS > EC2 > Volume > CMDB
Configure whether to record and synchronize details for the AWS EC2 volume into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > EC2 > Volume > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-ec2#/policy/types/volumeCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > EC2 > Volume > CMDB > Attributes
A list of attributes to retrieve data for in the CMDB control.
Any properties that are enabled and then later disabled will be removed and no longer tracked for this resource.
tmod:@turbot/aws-ec2#/policy/types/volumeCmdbAttributes
{ "type": "array", "items": { "type": "string", "enum": [ "AutoEnableIO", "ProductCodes" ] }, "default": [ "AutoEnableIO", "ProductCodes" ]}
AWS > EC2 > Volume > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-ec2#/policy/types/volumeConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > EC2 > Volume > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-ec2#/policy/types/volumeConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > EC2 > Volume > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-ec2#/policy/types/volumeConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > EC2 > Volume > Performance Configuration
Define the parameters required for AWS > EC2 > Volume
.
Please refer Solid state derive (SSD) volumes for more details on EBS Volume Types and its parameters.
tmod:@turbot/aws-ec2#/policy/types/volumeConfiguration
[ "Skip", "Check: Configured per Configuration > * policies", "Enforce: Configured per Configuration > * policies"]
{ "type": "string", "enum": [ "Skip", "Check: Configured per Configuration > * policies", "Enforce: Configured per Configuration > * policies" ], "example": [ "Skip", "Check: Configured per Configuration > * policies" ], "default": "Skip"}
AWS > EC2 > Volume > Performance Configuration > IOPS Capacity
Define the IOPS Capacity required for AWS > EC2 > Volume
.
tmod:@turbot/aws-ec2#/policy/types/volumeConfigurationIopsCapacity
"{\n volume {\n Iops: get(path: \"Iops\")\n }\n}\n"
"{{ $.volume.Iops }}\n"
{ "type": "number"}
AWS > EC2 > Volume > Performance Configuration > Throughput
Define the Throughput required for AWS > EC2 > Volume
in MiB/s.
tmod:@turbot/aws-ec2#/policy/types/volumeConfigurationThroughput
"{\n volume {\n Throughput: get(path: \"Throughput\")\n }\n}\n"
"{{ $.volume.Throughput }}\n"
{ "type": "number", "minimum": 125, "maximum": 1000}
AWS > EC2 > Volume > Performance Configuration > Type
Define the Volume Type required for AWS > EC2 > Volume
.
This policy will be set to null by default if the current volume type doesn't belong to the allowed enum values.
tmod:@turbot/aws-ec2#/policy/types/volumeConfigurationType
"{\n volume {\n volumeType: get(path: \"VolumeType\")\n }\n}\n"
"{% set allowedValues = ['io1', 'io2', 'gp2', 'gp3', 'sc1', 'st1', 'standard'] %}\n{% if allowedValues.includes($.volume.volumeType) %}{{ $.volume.volumeType }}{% else %}null{% endif %}\n"
{ "type": "string", "enum": [ "io1", "io2", "gp2", "gp3", "sc1", "st1", "standard" ], "example": [ "gp3", "io2" ]}
AWS > EC2 > Volume > Regions
A list of AWS regions in which AWS EC2 volumes are supported for use.
Any volumes in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-ec2#/policy/types/volumeRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > EC2 > Volume > Tags
Determine the action to take when an AWS EC2 volume tags are not updated based on the AWS > EC2 > Volume > Tags > *
policies.
The control ensure AWS EC2 volume tags include tags defined in AWS > EC2 > Volume > Tags > Template
.
Tags not defined in Volume Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > EC2 > Volume > Tags > Template
The template is used to generate the keys and values for AWS EC2 volume.
Tags not defined in Volume Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-ec2#/policy/types/volumeTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-ec2#/policy/types/ec2TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > EC2 > Volume > Usage
Configure the number of AWS EC2 volumes that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > EC2 > Volume > Usage
policy.
tmod:@turbot/aws-ec2#/policy/types/volumeUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > EC2 > Volume > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-ec2#/policy/types/volumeUsageLimit
{ "type": "integer", "minimum": 0, "default": 1000}
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2
The CloudWatch Events event pattern used by the AWS EC2 module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws-ec2#/policy/types/ec2CustomEventPatterns
{ "type": "array", "items": { "type": "object" }}
AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-ec2
A read-only policy generated by Guardrails that lists the APIs that
should be added to the guardrails-managed (hard) boundary policy,
thereby enabling them to be assigned to users and roles.
This value will change depending on the value of the value of theAWS > EC2 > Permissions > Lockdown > API Boundary
policy
tmod:@turbot/aws-ec2#/policy/types/awsCompiledApiBoundary
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-ec2
A calculated policy that Guardrails uses to create a compiled
list of ALL permissions for AWS EC2 that is used as input to
the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-ec2#/policy/types/awsLevelsCompiled
AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-ec2
A calculated policy that Guardrails uses to create a compiled list
of ALL lockdown policy statements for AWS EC2 that is used as
input to the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-ec2#/policy/types/awsCompiledLockdownStatements
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-ec2
A calculated policy that Guardrails uses to create a compiled
list of ALL permissions for AWS EC2 that is used as input
to the control that manages the IAM stack.
tmod:@turbot/aws-ec2#/policy/types/awsCompiledServicePermissions