@turbot/aws-iam

The aws-iam mod contains resource, control and policy definitions for AWS IAM service.

Recommended Version

Version

5.35.1

Released On

Mar 13, 2024

Depends On

@turbot/aws ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0

Resource Types

Control Types

Policy Types

Release Notes

5.35.1 (2024-03-13)

Bug fixes

Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

5.35.0 (2024-03-05)

Bug fixes

The AWS > IAM > Group > CMDB, AWS > IAM > Role > CMDB, and AWS > IAM > User > CMDB controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.

Control Types

AWS > Turbot > IAM > Group
AWS > Turbot > IAM > Group > Managed
AWS > Turbot > IAM > Managed
AWS > Turbot > IAM > Policy
AWS > Turbot > IAM > Policy > Managed
AWS > Turbot > IAM > Role
AWS > Turbot > IAM > Role > Managed
AWS > Turbot > IAM > User
AWS > Turbot > IAM > User > Managed

Policy Types

AWS > Turbot > IAM > Managed

Renamed

AWS > IAM > Turbot to AWS > Turbot > IAM

Action Types

AWS > Account > Provision Managed Resources
AWS > IAM > Group > Detach and delete
AWS > IAM > Group > IAM Group Managed
AWS > IAM > Policy > Detach and delete
AWS > IAM > Role > IAM Role Managed
AWS > IAM > User > IAM User Managed

5.34.0 (2024-02-27)

Policy Types

AWS > Turbot > Permissions > Custom Group Levels [Account]

Renamed

AWS > Turbot > Permissions > Custom Levels [Account] to AWS > Turbot > Permissions > Custom Role Levels [Account]
AWS > Turbot > Permissions > Custom Levels [Folder] to AWS > Turbot > Permissions > Custom Role Levels [Folder]

5.33.0 (2023-12-13)

Bug fixes

The AWS > IAM > Account Password Policy > CMDB control would incorrectly go into an Alarm state when Guardrails was denied access to fetch the Account Password Policy data. This is fixed and the control will now move to an Error state instead for such cases.
Guardrails stack controls would sometimes fail to update IAM resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.

Control Types

AWS > IAM > Root > Approved

Policy Types

AWS > IAM > Root > Approved
AWS > IAM > Root > Approved > Custom
AWS > IAM > Root > Approved > Usage

Action Types

AWS > IAM > Root > Skip alarm for Approved control
AWS > IAM > Root > Skip alarm for Approved control [90 days]

5.32.0 (2023-09-11)

Control Types

AWS > IAM > User > Login Profile

Policy Types

AWS > IAM > User > Login Profile

Action Types

AWS > IAM > User > Delete Login Profile

5.31.2 (2023-09-07)

Bug fixes

A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.31.1 (2023-08-11)

Bug fixes

Turbot stack controls would sometimes fail to update IAM policies and Role Policy Attachments if the Terraform plan in the stack's source policy was updated to rename a policy or change a policy's description. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
We've removed support for the now retired aws-portal:* permissions. Things will continue to work smoothly as before.

5.31.0 (2023-08-03)

What's new?

Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

Policy Types

AWS > IAM > Role > Active > Quarantine Policy Name
AWS > IAM > Role > Approved > Quarantine Policy Name

Action Types

AWS > IAM > Role > Attach Inline Policy
AWS > IAM > Role > Attach Quarantine policy
AWS > IAM > Role > Attach Quarantine policy
AWS > IAM > Role > Detach Quarantine policy
AWS > IAM > Role > Detach Quarantine policy

5.30.0 (2023-07-13)

Bug fixes

We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Policy Types

AWS > IAM > User > Active > Recently Used

5.29.0 (2023-06-30)

What's new?

We've added the new fine-grained account:*, consolidatedbilling:*, billing:*, freetier:*, invoicing:*, payments:*, and tax:* permissions which are replacing the existing aws-portal:* permissions soon. Things will continue to work smoothly as before.

5.28.0 (2023-06-16)

What's new?

Resource's metadata will now also include createdBy details in Turbot CMDB.

5.27.1 (2023-05-03)

What's new?

Added support for iam:CreateAccountAlias and iam:DeleteAccountAlias real-time events.

5.27.0 (2023-04-06)

What's new?

Added support for aws_iam_policy_document Terraform resource for AWS > IAM > Policy.

Bug fixes

We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.26.6 (2023-03-23)

Bug fixes

The AWS > IAM > User > Turbot Access Key > Rotation control would fail to rotate the Turbot Access Key correctly after x days if the AWS > IAM > User > Turbot Access Key > Rotation policy was set to Enforce: x day(s). This is now fixed.

5.26.5 (2023-02-02)

Bug fixes

In v5.26.4, we fixed an issue where Turbot would incorrectly upsert Role Policy Attachments via real-time create event when the AWS > IAM > Role > Role Policy Attachments > CMDB was set to Enforce: Disabled. Turns out that the fix did not cover all cases of how the Role Policy Attachments could be upserted incorrectly in Turbot. We've now taken care of all such cases and will not upsert Role Policy Attachments into Turbot CMDB via real-time create event if the CMDB policy is set to Skip or Enforce: Disabled.

5.26.4 (2023-01-11)

Bug fixes

Turbot would incorrectly upsert Role Policy Attachments via real-time create event when the AWS > IAM > Role > Role Policy Attachments > CMDB was set to Enforce: Disabled. The resource eventually got deleted from Turbot via the AWS > IAM > Role > Role Policy Attachments > CMDB control but this create-delete step was unnecessary. We've now handled this better and will not upsert the resource into Turbot CMDB via real-time create event if the CMDB policy is set to Skip or Enforce: Disabled.

5.26.3 (2022-12-20)

Bug fixes

The AWS > IAM > Role > Policy > Trusted Access control would go into an error state due to a mishandled internal variable. This is fixed and the control will work as expected.

5.26.2 (2022-12-13)

Bug fixes

Previously, for any missing Inline Policies or Policy Attachments in Turbot, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Turbot CMDB to allow users to manage their resources more reliably and consistently than before.

5.26.1 (2022-09-27)

Bug fixes

We’ve made a few GraphQL query improvements in the AWS > IAM > Root controls to be lighter and more reliable. You won’t notice any difference but things will now run quicker and smoother than before.

5.26.0 (2022-07-18)

What's new?

Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
Users can now also delete existing Groups, Roles and Users regardless of their creation date. To get started, set the corresponding approved policy to Enforce: Delete unapproved.

Bug fixes

On a rare instance, the AWS > IAM > Role > CMDB control would not fetch the partition value of the account from the AWS > Account > Partition policy correctly and thus would move to an Invalid state. All bases are now covered to fetch the partition value correctly and the control will now work as expected.

Action Types

AWS > IAM > Access Analyzer > Delete from AWS
AWS > IAM > Access Analyzer > Set Tags
AWS > IAM > Access Analyzer > Skip alarm for Active control
AWS > IAM > Access Analyzer > Skip alarm for Active control [90 days]
AWS > IAM > Access Analyzer > Skip alarm for Approved control
AWS > IAM > Access Analyzer > Skip alarm for Approved control [90 days]
AWS > IAM > Access Analyzer > Skip alarm for Tags control
AWS > IAM > Access Analyzer > Skip alarm for Tags control [90 days]
AWS > IAM > Access Key > Delete from AWS
AWS > IAM > Access Key > Skip alarm for Active control
AWS > IAM > Access Key > Skip alarm for Active control [90 days]
AWS > IAM > Group > Delete from AWS
AWS > IAM > Group > Inline Policy > Delete from AWS
AWS > IAM > Group > Inline Policy > Skip alarm for Approved control
AWS > IAM > Group > Inline Policy > Skip alarm for Approved control [90 days]
AWS > IAM > Group > Skip alarm for Active control
AWS > IAM > Group > Skip alarm for Active control [90 days]
AWS > IAM > Group > Skip alarm for Approved control
AWS > IAM > Group > Skip alarm for Approved control [90 days]
AWS > IAM > OpenID Connect > Delete from AWS
AWS > IAM > OpenID Connect > Set Tags
AWS > IAM > OpenID Connect > Skip alarm for Active control
AWS > IAM > OpenID Connect > Skip alarm for Active control [90 days]
AWS > IAM > OpenID Connect > Skip alarm for Approved control
AWS > IAM > OpenID Connect > Skip alarm for Approved control [90 days]
AWS > IAM > OpenID Connect > Skip alarm for Tags control
AWS > IAM > OpenID Connect > Skip alarm for Tags control [90 days]
AWS > IAM > Policy > Delete from AWS
AWS > IAM > Policy > Skip alarm for Active control
AWS > IAM > Policy > Skip alarm for Active control [90 days]
AWS > IAM > Policy > Skip alarm for Approved control
AWS > IAM > Policy > Skip alarm for Approved control [90 days]
AWS > IAM > Role > Delete from AWS
AWS > IAM > Role > Inline Policy > Delete from AWS
AWS > IAM > Role > Inline Policy > Skip alarm for Approved control
AWS > IAM > Role > Inline Policy > Skip alarm for Approved control [90 days]
AWS > IAM > Role > Set Tags
AWS > IAM > Role > Skip alarm for Active control
AWS > IAM > Role > Skip alarm for Active control [90 days]
AWS > IAM > Role > Skip alarm for Approved control
AWS > IAM > Role > Skip alarm for Approved control [90 days]
AWS > IAM > Role > Skip alarm for Tags control
AWS > IAM > Role > Skip alarm for Tags control [90 days]
AWS > IAM > Server Certificate > Delete from AWS
AWS > IAM > Server Certificate > Set Tags
AWS > IAM > Server Certificate > Skip alarm for Active control
AWS > IAM > Server Certificate > Skip alarm for Active control [90 days]
AWS > IAM > Server Certificate > Skip alarm for Approved control
AWS > IAM > Server Certificate > Skip alarm for Approved control [90 days]
AWS > IAM > Server Certificate > Skip alarm for Tags control
AWS > IAM > Server Certificate > Skip alarm for Tags control [90 days]
AWS > IAM > User > Delete from AWS
AWS > IAM > User > Inline Policy > Delete from AWS
AWS > IAM > User > Inline Policy > Skip alarm for Approved control
AWS > IAM > User > Inline Policy > Skip alarm for Approved control [90 days]
AWS > IAM > User > Set Tags
AWS > IAM > User > Skip alarm for Active control
AWS > IAM > User > Skip alarm for Active control [90 days]
AWS > IAM > User > Skip alarm for Approved control
AWS > IAM > User > Skip alarm for Approved control [90 days]
AWS > IAM > User > Skip alarm for Tags control
AWS > IAM > User > Skip alarm for Tags control [90 days]

5.25.0 (2022-06-08)

Control Types

AWS > IAM > Access Analyzer > Configured

Policy Types

AWS > IAM > Access Analyzer > Configured
AWS > IAM > Access Analyzer > Configured > Claim Precedence
AWS > IAM > Access Analyzer > Configured > Source

5.24.0 (2022-05-05)

Resource Types

AWS > IAM > OpenID Connect

Control Types

AWS > IAM > OpenID Connect > Active
AWS > IAM > OpenID Connect > Approved
AWS > IAM > OpenID Connect > CMDB
AWS > IAM > OpenID Connect > Configured
AWS > IAM > OpenID Connect > Discovery
AWS > IAM > OpenID Connect > Tags
AWS > IAM > OpenID Connect > Usage

Policy Types

AWS > IAM > OpenID Connect > Active
AWS > IAM > OpenID Connect > Active > Age
AWS > IAM > OpenID Connect > Active > Last Modified
AWS > IAM > OpenID Connect > Approved
AWS > IAM > OpenID Connect > Approved > Custom
AWS > IAM > OpenID Connect > Approved > Usage
AWS > IAM > OpenID Connect > CMDB
AWS > IAM > OpenID Connect > Configured
AWS > IAM > OpenID Connect > Configured > Claim Precedence
AWS > IAM > OpenID Connect > Configured > Source
AWS > IAM > OpenID Connect > Tags
AWS > IAM > OpenID Connect > Tags > Template
AWS > IAM > OpenID Connect > Usage
AWS > IAM > OpenID Connect > Usage > Limit
AWS > IAM > Role > Active > Recently Used
AWS > Turbot > Permissions > Custom Levels [Folder]

Action Types

AWS > IAM > OpenID Connect > Delete
AWS > IAM > OpenID Connect > Router
AWS > IAM > OpenID Connect > Update Tags

5.23.2 (2022-05-02)

Bug fixes

The AWS > IAM > User > Turbot Access Key > Rotation control would stay in a TBD state if there were no access keys available for the user in Turbot CMDB and the AWS > IAM > User > Turbot Access Key policy was not set. If in TBD, the control will now re-run and move to its intended state correctly.

5.23.1 (2022-04-29)

Bug fixes

The AWS > IAM > User > Turbot Access Key > Rotation control would sometimes create 2 access keys for users inadvertently if the AWS > IAM > User > Turbot Access Key policy was not set by the time the 1st key was created and upserted in Turbot. The control will now wait a few minutes to realize the policy setting for Turbot Access Key and prevent the creation of a 2nd access key.

5.23.0 (2022-04-18)

What's new?

The AWS > Turbot > IAM stack would remove user group memberships for users managed by Turbot when they were attached to groups created outside of Turbot. You can now also manage user group memberships non-exclusively via Turbot. To get started, set the AWS > Turbot > Permissions > User > Group Membership Mode policy.

Policy Types

AWS > Turbot > Permissions > User > Group Membership Mode

5.22.4 (2022-03-29)

Bug fixes

The AWS > Turbot > IAM stack would sometimes incorrectly delete resources if the AWS > Turbot > Permissions policy was switched from Skip to Enforce: User Mode or Enforce: Role Mode and the AWS > Turbot > Permissions > Source policy was empty. This is fixed and the stack will now not attempt to destroy any resources until the source policy is evaluated correctly.

5.22.3 (2022-03-25)

Bug fixes

The AWS > IAM > Role > Policy Attachments > Approved > Compiled Rules policy was evaluated incorrectly if the AWS > IAM > Role > Policy Attachments > Required > Items policy included a list of IAM policies. This is now fixed.

5.22.2 (2022-02-18)

Bug fixes

The AWS > IAM > Group > Approved control would go into an error state for Turbot managed groups if the AWS > IAM > Group > Approved policy was set to check or enforce mode and the AWS > IAM > Group > Approved > Turbot policy was set to Force Approved for Turbot Group. This is fixed and groups will now be Approved for such cases.

5.22.1 (2022-02-17)

Bug fixes

The AWS > IAM > User > Group Membership > CMDB control would go into an error state if the user's group membership was revoked. This is fixed and the group membership will now be deleted from Turbot for such cases.

5.22.0 (2022-02-11)

What's new?

Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

The AWS > Turbot > Permissions > Source policy would not evaluate correctly if the number of AWS > IAM > Login User Names exceeded 300. This is now fixed.
The AWS > Turbot > IAM stack will now not create any service level roles and their role policy attachments if the AWS > Turbot > Permissions policy for an account is set to Enforce: User Mode. This will greatly reduce the number of unnecessary resources that Turbot creates and manages via the stack, and the stack will now run lighter and more reliably than before.
We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Policy Types

AWS > IAM > Access Analyzer > Approved > Custom
AWS > IAM > Group > Approved > Custom
AWS > IAM > Group > Inline Policy > Approved > Custom
AWS > IAM > Policy > Approved > Custom
AWS > IAM > Role > Approved > Custom
AWS > IAM > Role > Inline Policy > Approved > Custom
AWS > IAM > Server Certificate > Approved > Custom
AWS > IAM > User > Approved > Custom
AWS > IAM > User > Inline Policy > Approved > Custom

5.21.0 (2022-01-12)

What's new?

AWS/IAM/Owner, AWS/IAM/Operator and AWS/IAM/Metadata now include permissions for Access-Analyzer Policy Generation and tagging permissions for Instance Profile, MFADevice, Policy, OpenIDConnectProvider and SAMLProvider.

Bug fixes

We've made some improvements to the AWS > Turbot > Permissions > Source policy. There is no noticeable difference and things will continue to run smoothly as expected.

5.20.3 (2021-11-11)

Bug fixes

We've improved the control table's messages for the AWS > IAM > Account Password Policy control to be more precise and helpful. Previously, to understand why one of these controls is in Alarm state, you would need to find the current password policy settings from the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.20.2 (2021-10-27)

Bug fixes

The AWS > IAM > Account Password Policy > Settings control would sometimes incorrectly evaluate the outcome for HardExpiry when the AWS > IAM > Account Password Policy > Settings > Hard Expiry policy was set to Disabled. This is now fixed.
In v5.8.0, we deprecated the AWS > IAM > Role > Trust Relationship Statements > Approved control and its policies in favour of the new AWS > IAM > Role > Policy > Trusted Access > Approved control; however, because the AWS > IAM > Role > Trust Relationship Statements > Approved > Rules policy adds Object Control List (OCL) functionality not available in the AWS > IAM > Role > Policy > Trusted Access > Approved control, this policy is still useful.
The AWS > IAM > Role > Trust Relationship Statements > Approved control, and the AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules and AWS > IAM > Role > Trust Relationship Statements > Approved > Rules policies are no longer considered deprecated and are available for use again.

Control Types

Renamed

AWS > IAM > Role > Trust Relationship Statements [Deprecated] to AWS > IAM > Role > Trust Relationship Statements
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved

Policy Types

Renamed

AWS > IAM > Role > Trust Relationship Statements [Deprecated] to AWS > IAM > Role > Trust Relationship Statements
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Compiled Rules [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Rules
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts [Deprecated]
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers [Deprecated]
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services [Deprecated]

5.20.1 (2021-09-30)

Bug fixes

The AWS > IAM > Account Summary > CMDB control will now re-run every 24 hours to fetch the latest account summary details.

5.20.0 (2021-09-23)

What's new?

Users can now deactivate access keys from the AWS > IAM > Access Key > Active control. To get started, set the AWS > IAM > Active > Active policy to Enforce: Deactivate inactive with x days warning.

Action Types

AWS > IAM > Access Key > Deactivate

5.19.2 (2021-09-17)

Bug fixes

In v5.18.0, we updated the AWS > Turbot > Permissions > Terraform Version policy value to 0.15.*. Due to this update, the AWS > Turbot > IAM control would sometimes go into an error state if the AWS > Turbot > Permissions policy was set to Enforce: User Mode. We've reverted this change temporarily, and the AWS > Turbot > Permissions > Terraform Version policy value is now set to 0.11.* to reduce the possibility of errors.

5.19.1 (2021-09-07)

Bug fixes

The AWS > IAM > Policy > Statements > Approved control would incorrectly go into an Invalid state if all statements in the policy were evaluated to be rejected and the AWS > IAM > Policy > Statements > Approved policy was set to Check: Approved. This is fixed and the control will now move into an Alarm state for such cases.

5.19.0 (2021-09-03)

Resource Types

AWS > IAM > Access Analyzer
AWS > IAM > Server Certificate

Control Types

AWS > IAM > Access Analyzer > Active
AWS > IAM > Access Analyzer > Approved
AWS > IAM > Access Analyzer > CMDB
AWS > IAM > Access Analyzer > Discovery
AWS > IAM > Access Analyzer > Tags
AWS > IAM > Server Certificate > Active
AWS > IAM > Server Certificate > Approved
AWS > IAM > Server Certificate > CMDB
AWS > IAM > Server Certificate > Discovery
AWS > IAM > Server Certificate > Tags
AWS > IAM > Server Certificate > Usage

Policy Types

AWS > IAM > Access Analyzer > Active
AWS > IAM > Access Analyzer > Active > Age
AWS > IAM > Access Analyzer > Active > Last Modified
AWS > IAM > Access Analyzer > Approved
AWS > IAM > Access Analyzer > Approved > Regions
AWS > IAM > Access Analyzer > Approved > Usage
AWS > IAM > Access Analyzer > CMDB
AWS > IAM > Access Analyzer > Regions
AWS > IAM > Access Analyzer > Tags
AWS > IAM > Access Analyzer > Tags > Template
AWS > IAM > Server Certificate > Active
AWS > IAM > Server Certificate > Active > Age
AWS > IAM > Server Certificate > Active > Last Modified
AWS > IAM > Server Certificate > Approved
AWS > IAM > Server Certificate > Approved > Usage
AWS > IAM > Server Certificate > CMDB
AWS > IAM > Server Certificate > Tags
AWS > IAM > Server Certificate > Tags > Template
AWS > IAM > Server Certificate > Usage
AWS > IAM > Server Certificate > Usage > Limit

Action Types

AWS > IAM > Access Analyzer > Delete
AWS > IAM > Access Analyzer > Router
AWS > IAM > Access Analyzer > Update Tags
AWS > IAM > Server Certificate > Delete
AWS > IAM > Server Certificate > Router
AWS > IAM > Server Certificate > Update Tags

5.18.0 (2021-07-28)

What's new?

The AWS > Turbot > Permissions > Terraform Version policy will now be set to 0.15.* by default for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will remain set to 0.11.* by default.

5.17.0 (2021-07-23)

Policy Types

AWS > Turbot > Permissions > Role > Session Timeout
AWS > Turbot > Permissions > User > Access Keys Enabled
AWS > Turbot > Permissions > User > Session Timeout

5.16.0 (2021-07-22)

What's new?

AWS/IAM/Metadata now includes cost explorer permissions.

Bug fixes

The AWS > IAM > Role > Policy > Trusted Access control incorrectly evaluated a policy statement if the statement's Principal was a Federated user and the AWS > IAM > Role > Policy > Trusted Access > Identity Providers policy was set to *. This is now fixed.
The trusted access control also didn't evaluate a policy statement as expected if the statement included an empty Condition. This is also fixed.

5.15.0 (2021-07-08)

What's new?

In a previous version, we added the ability to delete and stop tracking changes to group inline policies and group policy attachments in Turbot CMDB. We've now added this ability across all IAM resource types to help you manage IAM resources better.
We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.14.0 (2021-07-06)

What's new?

Users can now delete and stop tracking changes to group inline policies and group policy attachments in Turbot CMDB by setting the AWS > IAM > Group > Inline Policy > CMDB and AWS > IAM > Group > Group Policy Attachments > CMDB policies to Enforce: Disabled respectively.
The AWS > Turbot > IAM control will now use the AWS > Turbot > Permissions > Terraform Version policy instead of Turbot > Stack Terraform Version [Default] policy to configure resources. The AWS > Turbot > Permissions > Terraform Version policy is read-only and by default set to 0.11.* as it's managed by Turbot.
We've updated the AWS > Turbot > Permissions > Source policy to be read-only as it's managed by Turbot.

Policy Types

AWS > Turbot > Permissions > Terraform Version

5.13.0 (2021-06-25)

What's new?

AWS/IAM/Owner now includes service specific credential and SAML provider permissions.
AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-iam policy now includes access-analyzer:*.

5.12.0 (2021-06-18)

What's new?

IAM user mode is now available to use for permission management in AWS accounts. User mode is another way to manage permissions in an AWS account, with role mode being the primary way today. Instead of using IAM roles, user mode uses IAM users and groups to grant users access to AWS accounts.
We recommend using role mode unless you have a specific requirement to use IAM users and groups.
To get started with user mode, set the policy AWS > Turbot > Permissions to Enforce: User Mode.

Control Types

AWS > IAM > User > Turbot Access Key
AWS > IAM > User > Turbot Access Key > Rotation

Policy Types

AWS > IAM > User > Turbot Access Key
AWS > IAM > User > Turbot Access Key > Rotation
AWS > IAM > User > Turbot Secret Access Key
AWS > Turbot > Permissions > User Boundary

Removed

AWS > Turbot > Permissions > User > Name Prefix

Action Types

AWS > IAM > User > Create or Rotate Turbot Access Key

5.11.3 (2021-06-07)

Bug fixes

The ResponseMetadata.RequestId property for AWS > IAM > User has now been made dynamic to avoid unnecessary notifications in the activity tab.

5.11.2 (2021-05-17)

Bug fixes

The AWS > IAM > Credential Report > CMDB control sometimes wouldn't run at a six-hour interval on a consistent basis. This is now fixed.

5.11.1 (2021-04-16)

Bug fixes

We've made some changes that are too small to notice or too difficult to explain. Everything will continue to run smoothly and as expected.

5.11.0 (2021-04-08)

What's new?

Permissions for IAM access analyzers will now also be managed under the AWS > IAM > Enabled policy. To get started, set this policy to Enabled.

Bug fixes

We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.

5.10.0 (2021-02-23)

What's new?

We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.9.0 (2021-02-05)

Bug fixes

We have decreased the frequency of how often the AWS > IAM > Credential Report > CMDB control runs from every 4 hours to every 6 hours to better avoid throttling errors when attempting to generate the credential report.

Control Types

AWS > IAM > Stack

Policy Types

AWS > IAM > Stack
AWS > IAM > Stack > Secret Variables
AWS > IAM > Stack > Source
AWS > IAM > Stack > Terraform Version
AWS > IAM > Stack > Variables

5.8.3 (2021-01-28)

Bug fixes

The AWS > IAM > Policy > CMDB control would fail to update when a policy was attached to or detached from a group, user or a role. This is now fixed.

5.8.2 (2021-01-13)

Bug fixes

The AWS > IAM > Policy > Statements > Approved control would sometimes go into error if there was only one statement in the IAM policy. This has been fixed.
We've also improved the logging in the AWS > IAM > Policy > Statements > Approved control to better handle policies with a large number of statements to prevent the control from moving to error state.
The language in the details table for the AWS > IAM > Account Password Policy > Settings control has been updated to be more clear when the control is in alarm.

Action Types

AWS > IAM > Policy > Create Version

Removed

AWS > IAM > Policy > Update Statements

5.8.1 (2020-12-22)

What's new?

The AWS > IAM > Account Password Policy > Settings control will now display the result for each password policy item in the control data to easily identify which items passed/failed.

Bug fixes

Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.8.0 (2020-12-11)

Warning

The AWS > IAM > Role > Trust Relationship Statements > Approved control has been deprecated and replaced by the AWS > IAM > Role > Policy > Trusted Access > Approved control. In the next major version (v6.0.0), the AWS > IAM > Role > Trust Relationship Statements control will be removed.

Please note that a key difference between these controls is that the new AWS > IAM > Role > Policy > Trusted Access > Approved control will only check trust relationship policy statements that grant access with "Effect": "Allow", so statements with "Effect": "Deny" will not be checked.

We recommend that you migrate any AWS > IAM > Role > Trust Relationship Statements > Approved policy settings currently set in your workspace to instead use the new AWS > IAM > Role > Policy > Trusted Access policies based on the mappings below:

Old Policy	New Policy
AWS > IAM > Role > Trust Relationship Statements	AWS > IAM > Role > Policy > Trusted Access
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts	AWS > IAM > Role > Policy > Trusted Access > Accounts
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers	AWS > IAM > Role > Policy > Trusted Access > Identity Providers
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services	AWS > IAM > Role > Policy > Trusted Access > Services
AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules	N/A
AWS > IAM > Role > Trust Relationship Statements > Approved > Rules	N/A
N/A	AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions

Bug fixes

The AWS > IAM > User > Discovery and AWS > IAM > Policy > Discovery controls would go into an error state if the resources had alphanumeric characters in their name. This is now fixed.

Control Types

AWS > IAM > Role > Policy
AWS > IAM > Role > Policy > Trusted Access

Renamed

AWS > IAM > Role > Trust Relationship Statements to AWS > IAM > Role > Trust Relationship Statements [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated]

Policy Types

AWS > IAM > Role > Policy
AWS > IAM > Role > Policy > Trusted Access
AWS > IAM > Role > Policy > Trusted Access > Accounts
AWS > IAM > Role > Policy > Trusted Access > Identity Providers
AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions
AWS > IAM > Role > Policy > Trusted Access > Services
AWS > IAM > Trusted Accounts [Default]
AWS > IAM > Trusted Identity Providers [Default]
AWS > IAM > Trusted Organizations [Default]
AWS > IAM > Trusted Services [Default]

Renamed

AWS > IAM > Role > Trust Relationship Statements to AWS > IAM > Role > Trust Relationship Statements [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Compiled Rules [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Rules to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated]

Action Types

AWS > IAM > Role > Set Policy Trusted Access

5.7.7 (2020-11-12)

Bug fixes

The inline policies and policy documents for AWS > IAM > Group > Inline Policy, AWS > IAM > Role > Inline Policy and AWS > IAM > User > Inline Policy resources will now be consistently sorted and stored in the CMDB.
We've removed the ResponseMetadata property from the CMDB data of role and group resources since it was getting updated unnecessarily.

5.7.6 (2020-11-06)

Bug fixes

The attached policies and inline policies for AWS > IAM > Group, AWS > IAM > Role, and AWS > IAM > User resources will now be consistently sorted and stored in the CMDB.

5.7.5 (2020-11-06)

Bug fixes

It turns out that the AWS > IAM > Role Policy Attachment activity tab would still show unnecessary reference errors whenever an IAM policy was attached to or detached from a role. This issue has now been fixed and things should run smoothly, as expected.

5.7.4 (2020-11-02)

Bug fixes

The AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts policy now accepts cloudfront as a valid value for easier matching of CloudFront origin access identity (OAI) ARNs.

5.7.3 (2020-10-30)

Bug fixes

The AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts policy now also accepts AWS account IDs as strings for more flexibility.
We've updated the AWS > IAM > Role > Trust Relationship Statements > Approved > Rules > Compiled Rules policy to be read-only as it's managed by Turbot.

5.7.2 (2020-10-23)

Bug fixes

We've improved a few queries for the AWS > IAM > Group > Policy Attachments > Required, AWS > IAM > Role > Policy Attachments > Required and AWS > IAM > User > Policy Attachments > Required controls. There's no noticeable difference, but things should run more smoothly now.

5.7.1 (2020-10-09)

Bug fixes

We have updated the descriptions for all of the AWS > IAM > Account Password Policy > Settings > * policies to include more information on each setting's purpose and its expected data type.

5.7.0 (2020-10-01)

What's new?

We've improved our event handling configuration and now filter which AWS events Turbot listens for based on resources' CMDB policies. If a resource's CMDB policy is not set to Enforce: Enabled, the EventBridge rules will be configured to not send any events for that resource. This will greatly reduce the number of unnecessary events that Turbot listens for and handles today.

Bug fixes

The AWS > IAM > Role Policy Attachment activity tab would show unnecessary reference errors whenever an IAM policy was attached to or detached from a role. This has now been fixed.

Policy Types

AWS > IAM > Access Key > Active > Recently Used
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-iam

Removed

AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-iam

5.6.8 (2020-09-10)

Bug fixes

The Enable password expiration days and Prevent password reuse properties when unchecked in the AWS console, were not updated properly in the AWS > IAM > Account Password Policy > CMDB data, resulting in AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored) control to be inconsistent. This is fixed and now AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored) control will work correctly.

5.6.7 (2020-08-28)

Bug fixes

Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.6.6 (2020-08-13)

Bug fixes

The AssumeRolePolicyDocument field for role resources is now properly and consistently sorted.
In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
AWS > IAM > Role > Policy Attachments > Required control will remain in the skipped state for AWS service roles.

5.6.5 (2020-07-28)

Bug fixes

The AWS > Turbot > Permissions > Compiled > Account Permissions and AWS > Turbot > Permissions > Source policies often timed out during calculation if all AWS mods were installed and enabled at once. This issue has now been fixed.

5.6.4 (2020-07-10)

Bug fixes

Updated various resource configurations to provide better compatibility with AWS China regions.

5.6.3 (2020-07-03)

Bug fixes

Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.6.2 (2020-06-23)

Bug fixes

The AWS > IAM > Access Key > CMDB control was not properly deleting access keys from CMDB that no longer existed in AWS. This has been fixed.

5.6.1 (2020-06-19)

Bug fixes

Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.

5.6.0 (2020-06-17)

Control Types

AWS > IAM > Access Key > Usage

Policy Types

AWS > IAM > Access Key > Usage
AWS > IAM > Access Key > Usage > Limit
AWS > IAM > Group > Active > Budget
AWS > IAM > Group > Approved > Budget
AWS > IAM > Tags Template [Default]

Renamed

AWS > IAM > Access Key > Configured > Precedence to AWS > IAM > Access Key > Configured > Claim Precedence
AWS > IAM > Account Password Policy > Configured > Precedence to AWS > IAM > Account Password Policy > Configured > Claim Precedence
AWS > IAM > Group > Configured > Precedence to AWS > IAM > Group > Configured > Claim Precedence
AWS > IAM > Group > Group Policy Attachments > Configured > Precedence to AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence
AWS > IAM > Instance Profile > Configured > Precedence to AWS > IAM > Instance Profile > Configured > Claim Precedence
AWS > IAM > Policy > Configured > Precedence to AWS > IAM > Policy > Configured > Claim Precedence
AWS > IAM > Role > Configured > Precedence to AWS > IAM > Role > Configured > Claim Precedence
AWS > IAM > Role > Inline Policy > Configured > Precedence to AWS > IAM > Role > Inline Policy > Configured > Claim Precedence
AWS > IAM > Role > Role Policy Attachments > Configured > Precedence to AWS > IAM > Role > Role Policy Attachments > Configured > Claim Precedence
AWS > IAM > Root > Configured > Precedence to AWS > IAM > Root > Configured > Claim Precedence
AWS > IAM > User > Configured > Precedence to AWS > IAM > User > Configured > Claim Precedence
AWS > IAM > User > Group Memberships > Configured > Precedence to AWS > IAM > User > Group Memberships > Configured > Claim Precedence
AWS > IAM > User > User Policy Attachments > Configured > Precedence to AWS > IAM > User > User Policy Attachments > Configured > Claim Precedence

5.5.3 (2020-06-11)

Bug fixes

Updating the inline policies of user, group or role will automatically update the CMDB of the parent user, group or role respectively.

5.5.2 (2020-06-02)

Bug fixes

The credential report CMDB control would sometimes error out when attempting to generate a new credential report. This issue has now been fixed.

5.5.1 (2020-05-26)

Bug fixes

After updating a role's trust policy, the role's AKA would be incorrectly updated to no longer include the AWS account ID, e.g., arn:aws:iam:::role/my-role. This has been fixed and the updating a role's trust policy will no longer cause the role's AKA to become malformed. However, roles that have had their AKA modified will remain malformed, so in an upcoming version, a control will be added that fixes these AKAs automatically. As this control is not available yet, a workaround to fix these roles' AKAs today is to re-run their CMDB controls.

5.5.0 (2020-05-19)

What's new?

Support for policy values Enforce: User Mode and Check: User Mode has been temporarily withdrawn from AWS > Turbot > Permissions policy. Please note that the changes are backward compatible and it is not going to affect any previous policy settings.
AWS > Turbot > Permissions > Superuser Boundary policy when set to No Boundary disables the boundary policy settings on the superuser role. The change is supported in TE ^5.19.0
AWS > Turbot > Permissions > Lockdown > API Boundary allows you to define a list of APIs that will be allowed in the Turbot boundary policy. The change is supported in TE ^5.19.0

Bug fixes

AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary controls will now remain in skipped state for Turbot managed roles and user instead of invalid state.
The AWS > IAM > Credential Report > CMDB control was not retrying properly if the credential report was in the middle of being created. This has been fixed.

Policy Types

AWS > Turbot > Permissions > Lockdown > API Boundary
AWS > Turbot > Permissions > Superuser Boundary

5.4.2 (2020-05-08)

Bug fixes

After detaching a policy from a group, role, or user, the parent was not automatically updated with its current policy attachments. This has been fixed.
After creating a user, we would fail to create it in CMDB due to an incorrect resource parent when creating its user group membership resource. Users are now populating the workspace once again.
Newly created access keys were created incorrectly under the AWS account instead of the user. Now access keys are created under the user, which should be immensely more useful.

5.4.1 (2020-05-06)

Bug fixes

The default value of the AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary policies was changed from Check or Enforce per AWS > Turbot > Permissions to Skip. Now any pre-existing boundary permissions for roles and users will not automatically be replaced as they are discovered by Turbot. If you would still like Turbot to enforce boundary permissions by default for roles and users, please set the AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary policies to Check or Enforce per AWS > Turbot > Permissions.