@turbot/aws-iam

The aws-iam mod contains resource, control and policy definitions for AWS IAM service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for IAM:

PermissionGrant LevelHelp
access-analyzer:ApplyArchiveRuleOwner
access-analyzer:CancelPolicyGenerationOwner
access-analyzer:CreateAccessPreviewOwner
access-analyzer:CreateAnalyzerOwner
access-analyzer:CreateArchiveRuleOwner
access-analyzer:DeleteAnalyzerOwner
access-analyzer:DeleteArchiveRuleOwner
access-analyzer:GetAccessPreviewMetadata
access-analyzer:GetAnalyzedResourceMetadata
access-analyzer:GetAnalyzerMetadata
access-analyzer:GetArchiveRuleMetadata
access-analyzer:GetFindingMetadata
access-analyzer:GetGeneratedPolicyMetadata
access-analyzer:ListAccessPreviewFindingsMetadata
access-analyzer:ListAccessPreviewsMetadata
access-analyzer:ListAnalyzedResourcesMetadata
access-analyzer:ListAnalyzersMetadata
access-analyzer:ListArchiveRulesMetadata
access-analyzer:ListFindingsMetadata
access-analyzer:ListPolicyGenerationsMetadata
access-analyzer:ListTagsForResourceMetadata
access-analyzer:StartPolicyGenerationOwner
access-analyzer:StartResourceScanOwner
access-analyzer:TagResourceOperator
access-analyzer:UntagResourceOperator
access-analyzer:UpdateArchiveRuleOwner
access-analyzer:UpdateFindingsOwner
access-analyzer:ValidatePolicyOperator
iam:AddClientIDToOpenIDConnectProviderNoneOpenID is not used in Guardrails accounts.
iam:AddRoleToInstanceProfileOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:AddUserToGroupOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:AttachGroupPolicyOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:AttachRolePolicyOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:AttachUserPolicyWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:ChangePasswordNoneUsers are not allowed to change their own password. Owners may change passwords for users through *LoginProfile permissions.
iam:CreateAccessKeyWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:CreateAccountAliasOwnerOwners can manage the AWS account alias.
iam:CreateGroupOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:CreateInstanceProfileOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:CreateLoginProfileWhitelistOptionally Owners can create passwords for custom users. Management of Guardrails users is explicitly denied.
iam:CreateOpenIDConnectProviderNoneOpenID is not used in Guardrails accounts.
iam:CreatePolicyOwnerOwners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:CreatePolicyVersionOwnerOwners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:CreateRoleOwnerOwners can create custom roles.
iam:CreateSAMLProviderOwnerSAML is not used in Guardrails accounts.
iam:CreateServiceLinkedRoleOwnerOwner can manage service-linked roles.
iam:CreateServiceSpecificCredentialOwner
iam:CreateUserWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:CreateVirtualMFADeviceOwnerOwners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DeactivateMFADeviceOwnerOwners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DeleteAccessKeyWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteAccountAliasOwnerOwners can manage the AWS account alias.
iam:DeleteAccountPasswordPolicyOwner
iam:DeleteGroupOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DeleteGroupPolicyOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DeleteInstanceProfileOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteLoginProfileWhitelistOptionally Owners can manage passwords for custom users. Management of Guardrails users is explicitly denied. Deletion of the login profile is always allowed so user deletion in the IAM console works.
iam:DeleteOpenIDConnectProviderNoneOpenID is not used in Guardrails accounts.
iam:DeletePolicyOwnerOwners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:DeletePolicyVersionOwnerOwners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:DeleteRoleOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteRolePermissionsBoundaryOwnerOwners can delete permission boundary.
iam:DeleteRolePolicyOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteSAMLProviderOwnerSAML is not used in Guardrails accounts.
iam:DeleteSSHPublicKeyOwnerUsers may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:DeleteServerCertificateOwnerOwners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:DeleteServiceLinkedRoleOwner
iam:DeleteServiceSpecificCredentialOwner
iam:DeleteSigningCertificateNoneSOAP is deprecated by AWS and not supported by Guardrails.
iam:DeleteUserWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteUserPermissionsBoundaryOwner
iam:DeleteUserPermissionsBoundaryOwnerOwners can delete permission boundary.
iam:DeleteUserPolicyWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteVirtualMFADeviceOwnerOwners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DetachGroupPolicyOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DetachRolePolicyOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DetachUserPolicyWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:EnableMFADeviceOwnerOwners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:GenerateCredentialReportMetadata
iam:GenerateOrganizationsAccessReportOwner
iam:GenerateServiceLastAccessedDetailsMetadata
iam:GetAccessKeyLastUsedMetadata
iam:GetAccountAuthorizationDetailsMetadata
iam:GetAccountPasswordPolicyMetadata
iam:GetAccountSummaryMetadata
iam:GetContextKeysForCustomPolicyMetadata
iam:GetContextKeysForPrincipalPolicyMetadata
iam:GetCredentialReportMetadata
iam:GetGroupMetadata
iam:GetGroupPolicyMetadata
iam:GetInstanceProfileMetadata
iam:GetLoginProfileMetadata
iam:GetOpenIDConnectProviderMetadata
iam:GetOrganizationsAccessReportMetadata
iam:GetPolicyMetadata
iam:GetPolicyVersionMetadata
iam:GetRoleMetadata
iam:GetRolePolicyMetadata
iam:GetSAMLProviderMetadata
iam:GetSSHPublicKeyMetadata
iam:GetServerCertificateMetadata
iam:GetServiceLastAccessedDetailsMetadata
iam:GetServiceLastAccessedDetailsWithEntitiesMetadata
iam:GetServiceLinkedRoleDeletionStatusMetadata
iam:GetUserMetadata
iam:GetUserPolicyMetadata
iam:ListAccessKeysMetadata
iam:ListAccountAliasesMetadata
iam:ListAttachedGroupPoliciesMetadata
iam:ListAttachedRolePoliciesMetadata
iam:ListAttachedUserPoliciesMetadata
iam:ListEntitiesForPolicyMetadata
iam:ListGroupPoliciesMetadata
iam:ListGroupsMetadata
iam:ListGroupsForUserMetadata
iam:ListInstanceProfileTagsMetadata
iam:ListInstanceProfilesMetadata
iam:ListInstanceProfilesForRoleMetadata
iam:ListMFADeviceTagsMetadata
iam:ListMFADevicesMetadata
iam:ListOpenIDConnectProviderTagsMetadata
iam:ListOpenIDConnectProvidersMetadata
iam:ListPoliciesMetadata
iam:ListPoliciesGrantingServiceAccessMetadata
iam:ListPolicyTagsMetadata
iam:ListPolicyVersionsMetadata
iam:ListRolePoliciesMetadata
iam:ListRoleTagsMetadataLists the tags on an IAM user.
iam:ListRolesMetadata
iam:ListSAMLProviderTagsMetadata
iam:ListSAMLProvidersMetadata
iam:ListSSHPublicKeysMetadata
iam:ListServerCertificateTagsMetadata
iam:ListServerCertificatesMetadata
iam:ListServiceSpecificCredentialsMetadata
iam:ListSigningCertificatesMetadata
iam:ListUserPoliciesMetadata
iam:ListUserTagsMetadataLists the tags on an IAM role.
iam:ListUsersMetadata
iam:ListVirtualMFADevicesMetadata
iam:PassRoleOwnerOwner needs PassRole to allow creation of IAM roles for EC2. This also whitelists it for others to be granted specifically by services. PassRole for Guardrails roles is explicitly denied.
iam:PutGroupPolicyOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:PutRolePermissionsBoundaryOwnerOwners can add permission boundary.
iam:PutRolePolicyOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:PutUserPermissionsBoundaryOwnerOwners can add permission boundary.
iam:PutUserPolicyWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:RemoveClientIDFromOpenIDConnectProviderNoneOpenID is not used in Guardrails accounts.
iam:RemoveRoleFromInstanceProfileOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:RemoveUserFromGroupOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:ResetServiceSpecificCredentialOwner
iam:ResyncMFADeviceOwnerOwners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:SetDefaultPolicyVersionOwnerOwners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:SetSecurityTokenServicePreferencesOwner
iam:SimulateCustomPolicyMetadataAllow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users.
iam:SimulatePrincipalPolicyMetadataAllow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users.
iam:TagInstanceProfileOperator
iam:TagMFADeviceOperator
iam:TagOpenIDConnectProviderOperator
iam:TagPolicyOperator
iam:TagRoleOperatorCreates or modifies the tags on an IAM user.
iam:TagSAMLProviderOperator
iam:TagServerCertificateOperator
iam:TagUserOperatorCreates or modifies the tags on an IAM role.
iam:UntagInstanceProfileOperator
iam:UntagMFADeviceOperator
iam:UntagOpenIDConnectProviderOperator
iam:UntagPolicyOperator
iam:UntagRoleOperatorRemoves the tags on an IAM user.
iam:UntagSAMLProviderOperator
iam:UntagServerCertificateOperator
iam:UntagUserOperatorRemoves the tags on an IAM role.
iam:UpdateAccessKeyWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:UpdateAccountPasswordPolicyOwner
iam:UpdateAssumeRolePolicyOwnerOwners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:UpdateGroupOwnerOwners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:UpdateLoginProfileWhitelistOptionally Owners can change passwords for custom users. Guardrails users are explicitly denied from managing passwords.
iam:UpdateOpenIDConnectProviderThumbprintNoneOpenID is not used in Guardrails accounts.
iam:UpdateRoleOwnerUpdates the description or maximum session duration setting of a role.
iam:UpdateRoleDescriptionOwnerOwners can modify the description of a role.
iam:UpdateSAMLProviderOwnerSAML is not used in Guardrails accounts.
iam:UpdateSSHPublicKeyOwnerOwners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:UpdateServerCertificateOwnerOwners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:UpdateServiceSpecificCredentialOwner
iam:UpdateSigningCertificateNoneSOAP is deprecated by AWS and not supported by Guardrails.
iam:UpdateUserWhitelistOwners can manage custom users. Management of Guardrails users is explicitly denied.
iam:UploadSSHPublicKeyOwnerOwners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:UploadServerCertificateOwnerOwners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:UploadSigningCertificateNoneSOAP is deprecated by AWS and not supported by Guardrails.
organizations:DescribeOrganizationMetadata
sts:AssumeRoleOperatorAssuming Guardrails roles (determined by path) is explicitly denied.
sts:AssumeRoleWithSAMLOperatorAssuming Guardrails roles (determined by path) is explicitly denied.
sts:AssumeRoleWithWebIdentityOperatorAssuming Guardrails roles (determined by path) is explicitly denied.
sts:DecodeAuthorizationMessageMetadataUsers with access to Metadata are granted the ability to decode any authorization failure messages they receive. This aids troubleshooting and is appropriate given they already have access at a Metadata level.

Learn More About Guardrails

Version
5.32.0
Released On
Sep 11, 2023
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.32.0 (2023-09-11)

Control Types

Added

  • AWS > IAM > User > Login Profile

Policy Types

Added

  • AWS > IAM > User > Login Profile

Action Types

Added

  • AWS > IAM > User > Delete Login Profile

5.31.2 (2023-09-07)

Bug fixes

  • A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.31.1 (2023-08-11)

Bug fixes

  • Turbot stack controls would sometimes fail to update IAM policies and Role Policy Attachments if the Terraform plan in the stack's source policy was updated to rename a policy or change a policy's description. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
  • We've removed support for the now retired aws-portal:* permissions. Things will continue to work smoothly as before.

5.31.0 (2023-08-03)

What's new?

  • Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

Policy Types

Added

  • AWS > IAM > Role > Active > Quarantine Policy Name
  • AWS > IAM > Role > Approved > Quarantine Policy Name

Action Types

Added

  • AWS > IAM > Role > Attach Inline Policy
  • AWS > IAM > Role > Attach Quarantine policy
  • AWS > IAM > Role > Attach Quarantine policy
  • AWS > IAM > Role > Detach Quarantine policy
  • AWS > IAM > Role > Detach Quarantine policy

5.30.0 (2023-07-13)

Bug fixes

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Policy Types

Added

  • AWS > IAM > User > Active > Recently Used

5.29.0 (2023-06-30)

What's new?

  • We've added the new fine-grained account:*, consolidatedbilling:*, billing:*, freetier:*, invoicing:*, payments:*, and tax:* permissions which are replacing the existing aws-portal:* permissions soon. Things will continue to work smoothly as before.

5.28.0 (2023-06-16)

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

5.27.1 (2023-05-03)

What's new?

  • Added support for iam:CreateAccountAlias and iam:DeleteAccountAlias real-time events.

5.27.0 (2023-04-06)

What's new?

  • Added support for aws_iam_policy_document Terraform resource for AWS > IAM > Policy.

Bug fixes

  • We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.26.6 (2023-03-23)

Bug fixes

  • The AWS > IAM > User > Turbot Access Key > Rotation control would fail to rotate the Turbot Access Key correctly after x days if the AWS > IAM > User > Turbot Access Key > Rotation policy was set to Enforce: x day(s). This is now fixed.

5.26.5 (2023-02-02)

Bug fixes

  • In v5.26.4, we fixed an issue where Turbot would incorrectly upsert Role Policy Attachments via real-time create event when the AWS > IAM > Role > Role Policy Attachments > CMDB was set to Enforce: Disabled. Turns out that the fix did not cover all cases of how the Role Policy Attachments could be upserted incorrectly in Turbot. We've now taken care of all such cases and will not upsert Role Policy Attachments into Turbot CMDB via real-time create event if the CMDB policy is set to Skip or Enforce: Disabled.

5.26.4 (2023-01-11)

Bug fixes

  • Turbot would incorrectly upsert Role Policy Attachments via real-time create event when the AWS > IAM > Role > Role Policy Attachments > CMDB was set to Enforce: Disabled. The resource eventually got deleted from Turbot via the AWS > IAM > Role > Role Policy Attachments > CMDB control but this create-delete step was unnecessary. We've now handled this better and will not upsert the resource into Turbot CMDB via real-time create event if the CMDB policy is set to Skip or Enforce: Disabled.

5.26.3 (2022-12-20)

Bug fixes

  • The AWS > IAM > Role > Policy > Trusted Access control would go into an error state due to a mishandled internal variable. This is fixed and the control will work as expected.

5.26.2 (2022-12-13)

Bug fixes

  • Previously, for any missing Inline Policies or Policy Attachments in Turbot, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Turbot CMDB to allow users to manage their resources more reliably and consistently than before.

5.26.1 (2022-09-27)

Bug fixes

  • We’ve made a few GraphQL query improvements in the AWS > IAM > Root controls to be lighter and more reliable. You won’t notice any difference but things will now run quicker and smoother than before.

5.26.0 (2022-07-18)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
  • Users can now also delete existing Groups, Roles and Users regardless of their creation date. To get started, set the corresponding approved policy to Enforce: Delete unapproved.

Bug fixes

  • On a rare instance, the AWS > IAM > Role > CMDB control would not fetch the partition value of the account from the AWS > Account > Partition policy correctly and thus would move to an Invalid state. All bases are now covered to fetch the partition value correctly and the control will now work as expected.

Action Types

Added

  • AWS > IAM > Access Analyzer > Delete from AWS
  • AWS > IAM > Access Analyzer > Set Tags
  • AWS > IAM > Access Analyzer > Skip alarm for Active control
  • AWS > IAM > Access Analyzer > Skip alarm for Active control [90 days]
  • AWS > IAM > Access Analyzer > Skip alarm for Approved control
  • AWS > IAM > Access Analyzer > Skip alarm for Approved control [90 days]
  • AWS > IAM > Access Analyzer > Skip alarm for Tags control
  • AWS > IAM > Access Analyzer > Skip alarm for Tags control [90 days]
  • AWS > IAM > Access Key > Delete from AWS
  • AWS > IAM > Access Key > Skip alarm for Active control
  • AWS > IAM > Access Key > Skip alarm for Active control [90 days]
  • AWS > IAM > Group > Delete from AWS
  • AWS > IAM > Group > Inline Policy > Delete from AWS
  • AWS > IAM > Group > Inline Policy > Skip alarm for Approved control
  • AWS > IAM > Group > Inline Policy > Skip alarm for Approved control [90 days]
  • AWS > IAM > Group > Skip alarm for Active control
  • AWS > IAM > Group > Skip alarm for Active control [90 days]
  • AWS > IAM > Group > Skip alarm for Approved control
  • AWS > IAM > Group > Skip alarm for Approved control [90 days]
  • AWS > IAM > OpenID Connect > Delete from AWS
  • AWS > IAM > OpenID Connect > Set Tags
  • AWS > IAM > OpenID Connect > Skip alarm for Active control
  • AWS > IAM > OpenID Connect > Skip alarm for Active control [90 days]
  • AWS > IAM > OpenID Connect > Skip alarm for Approved control
  • AWS > IAM > OpenID Connect > Skip alarm for Approved control [90 days]
  • AWS > IAM > OpenID Connect > Skip alarm for Tags control
  • AWS > IAM > OpenID Connect > Skip alarm for Tags control [90 days]
  • AWS > IAM > Policy > Delete from AWS
  • AWS > IAM > Policy > Skip alarm for Active control
  • AWS > IAM > Policy > Skip alarm for Active control [90 days]
  • AWS > IAM > Policy > Skip alarm for Approved control
  • AWS > IAM > Policy > Skip alarm for Approved control [90 days]
  • AWS > IAM > Role > Delete from AWS
  • AWS > IAM > Role > Inline Policy > Delete from AWS
  • AWS > IAM > Role > Inline Policy > Skip alarm for Approved control
  • AWS > IAM > Role > Inline Policy > Skip alarm for Approved control [90 days]
  • AWS > IAM > Role > Set Tags
  • AWS > IAM > Role > Skip alarm for Active control
  • AWS > IAM > Role > Skip alarm for Active control [90 days]
  • AWS > IAM > Role > Skip alarm for Approved control
  • AWS > IAM > Role > Skip alarm for Approved control [90 days]
  • AWS > IAM > Role > Skip alarm for Tags control
  • AWS > IAM > Role > Skip alarm for Tags control [90 days]
  • AWS > IAM > Server Certificate > Delete from AWS
  • AWS > IAM > Server Certificate > Set Tags
  • AWS > IAM > Server Certificate > Skip alarm for Active control
  • AWS > IAM > Server Certificate > Skip alarm for Active control [90 days]
  • AWS > IAM > Server Certificate > Skip alarm for Approved control
  • AWS > IAM > Server Certificate > Skip alarm for Approved control [90 days]
  • AWS > IAM > Server Certificate > Skip alarm for Tags control
  • AWS > IAM > Server Certificate > Skip alarm for Tags control [90 days]
  • AWS > IAM > User > Delete from AWS
  • AWS > IAM > User > Inline Policy > Delete from AWS
  • AWS > IAM > User > Inline Policy > Skip alarm for Approved control
  • AWS > IAM > User > Inline Policy > Skip alarm for Approved control [90 days]
  • AWS > IAM > User > Set Tags
  • AWS > IAM > User > Skip alarm for Active control
  • AWS > IAM > User > Skip alarm for Active control [90 days]
  • AWS > IAM > User > Skip alarm for Approved control
  • AWS > IAM > User > Skip alarm for Approved control [90 days]
  • AWS > IAM > User > Skip alarm for Tags control
  • AWS > IAM > User > Skip alarm for Tags control [90 days]

5.25.0 (2022-06-08)

Control Types

Added

  • AWS > IAM > Access Analyzer > Configured

Policy Types

Added

  • AWS > IAM > Access Analyzer > Configured
  • AWS > IAM > Access Analyzer > Configured > Claim Precedence
  • AWS > IAM > Access Analyzer > Configured > Source

5.24.0 (2022-05-05)

Resource Types

Added

  • AWS > IAM > OpenID Connect

Control Types

Added

  • AWS > IAM > OpenID Connect > Active
  • AWS > IAM > OpenID Connect > Approved
  • AWS > IAM > OpenID Connect > CMDB
  • AWS > IAM > OpenID Connect > Configured
  • AWS > IAM > OpenID Connect > Discovery
  • AWS > IAM > OpenID Connect > Tags
  • AWS > IAM > OpenID Connect > Usage

Policy Types

Added

  • AWS > IAM > OpenID Connect > Active
  • AWS > IAM > OpenID Connect > Active > Age
  • AWS > IAM > OpenID Connect > Active > Last Modified
  • AWS > IAM > OpenID Connect > Approved
  • AWS > IAM > OpenID Connect > Approved > Custom
  • AWS > IAM > OpenID Connect > Approved > Usage
  • AWS > IAM > OpenID Connect > CMDB
  • AWS > IAM > OpenID Connect > Configured
  • AWS > IAM > OpenID Connect > Configured > Claim Precedence
  • AWS > IAM > OpenID Connect > Configured > Source
  • AWS > IAM > OpenID Connect > Tags
  • AWS > IAM > OpenID Connect > Tags > Template
  • AWS > IAM > OpenID Connect > Usage
  • AWS > IAM > OpenID Connect > Usage > Limit
  • AWS > IAM > Role > Active > Recently Used
  • AWS > Turbot > Permissions > Custom Levels [Folder]

Action Types

Added

  • AWS > IAM > OpenID Connect > Delete
  • AWS > IAM > OpenID Connect > Router
  • AWS > IAM > OpenID Connect > Update Tags

5.23.2 (2022-05-02)

Bug fixes

  • The AWS > IAM > User > Turbot Access Key > Rotation control would stay in a TBD state if there were no access keys available for the user in Turbot CMDB and the AWS > IAM > User > Turbot Access Key policy was not set. If in TBD, the control will now re-run and move to its intended state correctly.

5.23.1 (2022-04-29)

Bug fixes

  • The AWS > IAM > User > Turbot Access Key > Rotation control would sometimes create 2 access keys for users inadvertently if the AWS > IAM > User > Turbot Access Key policy was not set by the time the 1st key was created and upserted in Turbot. The control will now wait a few minutes to realize the policy setting for Turbot Access Key and prevent the creation of a 2nd access key.

5.23.0 (2022-04-18)

What's new?

  • The AWS > Turbot > IAM stack would remove user group memberships for users managed by Turbot when they were attached to groups created outside of Turbot. You can now also manage user group memberships non-exclusively via Turbot. To get started, set the AWS > Turbot > Permissions > User > Group Membership Mode policy.

Policy Types

Added

  • AWS > Turbot > Permissions > User > Group Membership Mode

5.22.4 (2022-03-29)

Bug fixes

  • The AWS > Turbot > IAM stack would sometimes incorrectly delete resources if the AWS > Turbot > Permissions policy was switched from Skip to Enforce: User Mode or Enforce: Role Mode and the AWS > Turbot > Permissions > Source policy was empty. This is fixed and the stack will now not attempt to destroy any resources until the source policy is evaluated correctly.

5.22.3 (2022-03-25)

Bug fixes

  • The AWS > IAM > Role > Policy Attachments > Approved > Compiled Rules policy was evaluated incorrectly if the AWS > IAM > Role > Policy Attachments > Required > Items policy included a list of IAM policies. This is now fixed.

5.22.2 (2022-02-18)

Bug fixes

  • The AWS > IAM > Group > Approved control would go into an error state for Turbot managed groups if the AWS > IAM > Group > Approved policy was set to check or enforce mode and the AWS > IAM > Group > Approved > Turbot policy was set to Force Approved for Turbot Group. This is fixed and groups will now be Approved for such cases.

5.22.1 (2022-02-17)

Bug fixes

  • The AWS > IAM > User > Group Membership > CMDB control would go into an error state if the user's group membership was revoked. This is fixed and the group membership will now be deleted from Turbot for such cases.

5.22.0 (2022-02-11)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • The AWS > Turbot > Permissions > Source policy would not evaluate correctly if the number of AWS > IAM > Login User Names exceeded 300. This is now fixed.
  • The AWS > Turbot > IAM stack will now not create any service level roles and their role policy attachments if the AWS > Turbot > Permissions policy for an account is set to Enforce: User Mode. This will greatly reduce the number of unnecessary resources that Turbot creates and manages via the stack, and the stack will now run lighter and more reliably than before.
  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Policy Types

Added

  • AWS > IAM > Access Analyzer > Approved > Custom
  • AWS > IAM > Group > Approved > Custom
  • AWS > IAM > Group > Inline Policy > Approved > Custom
  • AWS > IAM > Policy > Approved > Custom
  • AWS > IAM > Role > Approved > Custom
  • AWS > IAM > Role > Inline Policy > Approved > Custom
  • AWS > IAM > Server Certificate > Approved > Custom
  • AWS > IAM > User > Approved > Custom
  • AWS > IAM > User > Inline Policy > Approved > Custom

5.21.0 (2022-01-12)

What's new?

  • AWS/IAM/Owner, AWS/IAM/Operator and AWS/IAM/Metadata now include permissions for Access-Analyzer Policy Generation and tagging permissions for Instance Profile, MFADevice, Policy, OpenIDConnectProvider and SAMLProvider.

Bug fixes

  • We've made some improvements to the AWS > Turbot > Permissions > Source policy. There is no noticeable difference and things will continue to run smoothly as expected.

5.20.3 (2021-11-11)

Bug fixes

  • We've improved the control table's messages for the AWS > IAM > Account Password Policy control to be more precise and helpful. Previously, to understand why one of these controls is in Alarm state, you would need to find the current password policy settings from the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.20.2 (2021-10-27)

Bug fixes

  • The AWS > IAM > Account Password Policy > Settings control would sometimes incorrectly evaluate the outcome for HardExpiry when the AWS > IAM > Account Password Policy > Settings > Hard Expiry policy was set to Disabled. This is now fixed.

  • In v5.8.0, we deprecated the AWS > IAM > Role > Trust Relationship Statements > Approved control and its policies in favour of the new AWS > IAM > Role > Policy > Trusted Access > Approved control; however, because the AWS > IAM > Role > Trust Relationship Statements > Approved > Rules policy adds Object Control List (OCL) functionality not available in the AWS > IAM > Role > Policy > Trusted Access > Approved control, this policy is still useful.

    The AWS > IAM > Role > Trust Relationship Statements > Approved control, and the AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules and AWS > IAM > Role > Trust Relationship Statements > Approved > Rules policies are no longer considered deprecated and are available for use again.

Control Types

Renamed

  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] to AWS > IAM > Role > Trust Relationship Statements
  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved

Policy Types

Renamed

  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] to AWS > IAM > Role > Trust Relationship Statements
  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved
  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Compiled Rules [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules
  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Rules
  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services [Deprecated]

5.20.1 (2021-09-30)

Bug fixes

  • The AWS > IAM > Account Summary > CMDB control will now re-run every 24 hours to fetch the latest account summary details.

5.20.0 (2021-09-23)

What's new?

  • Users can now deactivate access keys from the AWS > IAM > Access Key > Active control. To get started, set the AWS > IAM > Active > Active policy to Enforce: Deactivate inactive with x days warning.

Action Types

Added

  • AWS > IAM > Access Key > Deactivate

5.19.2 (2021-09-17)

Bug fixes

  • In v5.18.0, we updated the AWS > Turbot > Permissions > Terraform Version policy value to 0.15.*. Due to this update, the AWS > Turbot > IAM control would sometimes go into an error state if the AWS > Turbot > Permissions policy was set to Enforce: User Mode. We've reverted this change temporarily, and the AWS > Turbot > Permissions > Terraform Version policy value is now set to 0.11.* to reduce the possibility of errors.

5.19.1 (2021-09-07)

Bug fixes

  • The AWS > IAM > Policy > Statements > Approved control would incorrectly go into an Invalid state if all statements in the policy were evaluated to be rejected and the AWS > IAM > Policy > Statements > Approved policy was set to Check: Approved. This is fixed and the control will now move into an Alarm state for such cases.

5.19.0 (2021-09-03)

Resource Types

Added

  • AWS > IAM > Access Analyzer
  • AWS > IAM > Server Certificate

Control Types

Added

  • AWS > IAM > Access Analyzer > Active
  • AWS > IAM > Access Analyzer > Approved
  • AWS > IAM > Access Analyzer > CMDB
  • AWS > IAM > Access Analyzer > Discovery
  • AWS > IAM > Access Analyzer > Tags
  • AWS > IAM > Server Certificate > Active
  • AWS > IAM > Server Certificate > Approved
  • AWS > IAM > Server Certificate > CMDB
  • AWS > IAM > Server Certificate > Discovery
  • AWS > IAM > Server Certificate > Tags
  • AWS > IAM > Server Certificate > Usage

Policy Types

Added

  • AWS > IAM > Access Analyzer > Active
  • AWS > IAM > Access Analyzer > Active > Age
  • AWS > IAM > Access Analyzer > Active > Last Modified
  • AWS > IAM > Access Analyzer > Approved
  • AWS > IAM > Access Analyzer > Approved > Regions
  • AWS > IAM > Access Analyzer > Approved > Usage
  • AWS > IAM > Access Analyzer > CMDB
  • AWS > IAM > Access Analyzer > Regions
  • AWS > IAM > Access Analyzer > Tags
  • AWS > IAM > Access Analyzer > Tags > Template
  • AWS > IAM > Server Certificate > Active
  • AWS > IAM > Server Certificate > Active > Age
  • AWS > IAM > Server Certificate > Active > Last Modified
  • AWS > IAM > Server Certificate > Approved
  • AWS > IAM > Server Certificate > Approved > Usage
  • AWS > IAM > Server Certificate > CMDB
  • AWS > IAM > Server Certificate > Tags
  • AWS > IAM > Server Certificate > Tags > Template
  • AWS > IAM > Server Certificate > Usage
  • AWS > IAM > Server Certificate > Usage > Limit

Action Types

Added

  • AWS > IAM > Access Analyzer > Delete
  • AWS > IAM > Access Analyzer > Router
  • AWS > IAM > Access Analyzer > Update Tags
  • AWS > IAM > Server Certificate > Delete
  • AWS > IAM > Server Certificate > Router
  • AWS > IAM > Server Certificate > Update Tags

5.18.0 (2021-07-28)

What's new?

  • The AWS > Turbot > Permissions > Terraform Version policy will now be set to 0.15.* by default for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will remain set to 0.11.* by default.

5.17.0 (2021-07-23)

Policy Types

Added

  • AWS > Turbot > Permissions > Role > Session Timeout
  • AWS > Turbot > Permissions > User > Access Keys Enabled
  • AWS > Turbot > Permissions > User > Session Timeout

5.16.0 (2021-07-22)

What's new?

  • AWS/IAM/Metadata now includes cost explorer permissions.

Bug fixes

  • The AWS > IAM > Role > Policy > Trusted Access control incorrectly evaluated a policy statement if the statement's Principal was a Federated user and the AWS > IAM > Role > Policy > Trusted Access > Identity Providers policy was set to *. This is now fixed.

    The trusted access control also didn't evaluate a policy statement as expected if the statement included an empty Condition. This is also fixed.

5.15.0 (2021-07-08)

What's new?

  • In a previous version, we added the ability to delete and stop tracking changes to group inline policies and group policy attachments in Turbot CMDB. We've now added this ability across all IAM resource types to help you manage IAM resources better.
  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.14.0 (2021-07-06)

What's new?

  • Users can now delete and stop tracking changes to group inline policies and group policy attachments in Turbot CMDB by setting the AWS > IAM > Group > Inline Policy > CMDB and AWS > IAM > Group > Group Policy Attachments > CMDB policies to Enforce: Disabled respectively.

  • The AWS > Turbot > IAM control will now use the AWS > Turbot > Permissions > Terraform Version policy instead of Turbot > Stack Terraform Version [Default] policy to configure resources. The AWS > Turbot > Permissions > Terraform Version policy is read-only and by default set to 0.11.* as it's managed by Turbot.

  • We've updated the AWS > Turbot > Permissions > Source policy to be read-only as it's managed by Turbot.

Policy Types

Added

  • AWS > Turbot > Permissions > Terraform Version

5.13.0 (2021-06-25)

What's new?

  • AWS/IAM/Owner now includes service specific credential and SAML provider permissions.

    AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-iam policy now includes access-analyzer:*.

5.12.0 (2021-06-18)

What's new?

  • IAM user mode is now available to use for permission management in AWS accounts. User mode is another way to manage permissions in an AWS account, with role mode being the primary way today. Instead of using IAM roles, user mode uses IAM users and groups to grant users access to AWS accounts.

    We recommend using role mode unless you have a specific requirement to use IAM users and groups.

    To get started with user mode, set the policy AWS > Turbot > Permissions to Enforce: User Mode.

Control Types

Added

  • AWS > IAM > User > Turbot Access Key
  • AWS > IAM > User > Turbot Access Key > Rotation

Policy Types

Added

  • AWS > IAM > User > Turbot Access Key
  • AWS > IAM > User > Turbot Access Key > Rotation
  • AWS > IAM > User > Turbot Secret Access Key
  • AWS > Turbot > Permissions > User Boundary

Removed

  • AWS > Turbot > Permissions > User > Name Prefix

Action Types

Added

  • AWS > IAM > User > Create or Rotate Turbot Access Key

5.11.3 (2021-06-07)

Bug fixes

  • The ResponseMetadata.RequestId property for AWS > IAM > User has now been made dynamic to avoid unnecessary notifications in the activity tab.

5.11.2 (2021-05-17)

Bug fixes

  • The AWS > IAM > Credential Report > CMDB control sometimes wouldn't run at a six-hour interval on a consistent basis. This is now fixed.

5.11.1 (2021-04-16)

Bug fixes

  • We've made some changes that are too small to notice or too difficult to explain. Everything will continue to run smoothly and as expected.

5.11.0 (2021-04-08)

What's new?

  • Permissions for IAM access analyzers will now also be managed under the AWS > IAM > Enabled policy. To get started, set this policy to Enabled.

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.

5.10.0 (2021-02-23)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.9.0 (2021-02-05)

Bug fixes

  • We have decreased the frequency of how often the AWS > IAM > Credential Report > CMDB control runs from every 4 hours to every 6 hours to better avoid throttling errors when attempting to generate the credential report.

Control Types

Added

  • AWS > IAM > Stack

Policy Types

Added

  • AWS > IAM > Stack
  • AWS > IAM > Stack > Secret Variables
  • AWS > IAM > Stack > Source
  • AWS > IAM > Stack > Terraform Version
  • AWS > IAM > Stack > Variables

5.8.3 (2021-01-28)

Bug fixes

  • The AWS > IAM > Policy > CMDB control would fail to update when a policy was attached to or detached from a group, user or a role. This is now fixed.

5.8.2 (2021-01-13)

Bug fixes

  • The AWS > IAM > Policy > Statements > Approved control would sometimes go into error if there was only one statement in the IAM policy. This has been fixed.

    We've also improved the logging in the AWS > IAM > Policy > Statements > Approved control to better handle policies with a large number of statements to prevent the control from moving to error state.

  • The language in the details table for the AWS > IAM > Account Password Policy > Settings control has been updated to be more clear when the control is in alarm.

Action Types

Added

  • AWS > IAM > Policy > Create Version

Removed

  • AWS > IAM > Policy > Update Statements

5.8.1 (2020-12-22)

What's new?

  • The AWS > IAM > Account Password Policy > Settings control will now display the result for each password policy item in the control data to easily identify which items passed/failed.

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.8.0 (2020-12-11)

Warning

  • The AWS > IAM > Role > Trust Relationship Statements > Approved control has been deprecated and replaced by the AWS > IAM > Role > Policy > Trusted Access > Approved control. In the next major version (v6.0.0), the AWS > IAM > Role > Trust Relationship Statements control will be removed.

    Please note that a key difference between these controls is that the new AWS > IAM > Role > Policy > Trusted Access > Approved control will only check trust relationship policy statements that grant access with "Effect": "Allow", so statements with "Effect": "Deny" will not be checked.

    We recommend that you migrate any AWS > IAM > Role > Trust Relationship Statements > Approved policy settings currently set in your workspace to instead use the new AWS > IAM > Role > Policy > Trusted Access policies based on the mappings below:

    Old PolicyNew Policy
    AWS > IAM > Role > Trust Relationship StatementsAWS > IAM > Role > Policy > Trusted Access
    AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted AccountsAWS > IAM > Role > Policy > Trusted Access > Accounts
    AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity ProvidersAWS > IAM > Role > Policy > Trusted Access > Identity Providers
    AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted ServicesAWS > IAM > Role > Policy > Trusted Access > Services
    AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled RulesN/A
    AWS > IAM > Role > Trust Relationship Statements > Approved > RulesN/A
    N/AAWS > IAM > Role > Policy > Trusted Access > Organization Restrictions

Bug fixes

  • The AWS > IAM > User > Discovery and AWS > IAM > Policy > Discovery controls would go into an error state if the resources had alphanumeric characters in their name. This is now fixed.

Control Types

Added

  • AWS > IAM > Role > Policy
  • AWS > IAM > Role > Policy > Trusted Access

Renamed

  • AWS > IAM > Role > Trust Relationship Statements to AWS > IAM > Role > Trust Relationship Statements [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements > Approved to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated]

Policy Types

Added

  • AWS > IAM > Role > Policy
  • AWS > IAM > Role > Policy > Trusted Access
  • AWS > IAM > Role > Policy > Trusted Access > Accounts
  • AWS > IAM > Role > Policy > Trusted Access > Identity Providers
  • AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions
  • AWS > IAM > Role > Policy > Trusted Access > Services
  • AWS > IAM > Trusted Accounts [Default]
  • AWS > IAM > Trusted Identity Providers [Default]
  • AWS > IAM > Trusted Organizations [Default]
  • AWS > IAM > Trusted Services [Default]

Renamed

  • AWS > IAM > Role > Trust Relationship Statements to AWS > IAM > Role > Trust Relationship Statements [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements > Approved to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Compiled Rules [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements > Approved > Rules to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated]
  • AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated]

Action Types

Added

  • AWS > IAM > Role > Set Policy Trusted Access

5.7.7 (2020-11-12)

Bug fixes

  • The inline policies and policy documents for AWS > IAM > Group > Inline Policy, AWS > IAM > Role > Inline Policy and AWS > IAM > User > Inline Policy resources will now be consistently sorted and stored in the CMDB.

  • We've removed the ResponseMetadata property from the CMDB data of role and group resources since it was getting updated unnecessarily.

5.7.6 (2020-11-06)

Bug fixes

  • The attached policies and inline policies for AWS > IAM > Group, AWS > IAM > Role, and AWS > IAM > User resources will now be consistently sorted and stored in the CMDB.

5.7.5 (2020-11-06)

Bug fixes

  • It turns out that the AWS > IAM > Role Policy Attachment activity tab would still show unnecessary reference errors whenever an IAM policy was attached to or detached from a role. This issue has now been fixed and things should run smoothly, as expected.

5.7.4 (2020-11-02)

Bug fixes

5.7.3 (2020-10-30)

Bug fixes

  • The AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts policy now also accepts AWS account IDs as strings for more flexibility.
  • We've updated the AWS > IAM > Role > Trust Relationship Statements > Approved > Rules > Compiled Rules policy to be read-only as it's managed by Turbot.

5.7.2 (2020-10-23)

Bug fixes

  • We've improved a few queries for the AWS > IAM > Group > Policy Attachments > Required, AWS > IAM > Role > Policy Attachments > Required and AWS > IAM > User > Policy Attachments > Required controls. There's no noticeable difference, but things should run more smoothly now.

5.7.1 (2020-10-09)

Bug fixes

  • We have updated the descriptions for all of the AWS > IAM > Account Password Policy > Settings > * policies to include more information on each setting's purpose and its expected data type.

5.7.0 (2020-10-01)

What's new?

  • We've improved our event handling configuration and now filter which AWS events Turbot listens for based on resources' CMDB policies. If a resource's CMDB policy is not set to Enforce: Enabled, the EventBridge rules will be configured to not send any events for that resource. This will greatly reduce the number of unnecessary events that Turbot listens for and handles today.

Bug fixes

  • The AWS > IAM > Role Policy Attachment activity tab would show unnecessary reference errors whenever an IAM policy was attached to or detached from a role. This has now been fixed.

Policy Types

Added

  • AWS > IAM > Access Key > Active > Recently Used
  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-iam

Removed

  • AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-iam

5.6.8 (2020-09-10)

Bug fixes

  • The Enable password expiration days and Prevent password reuse properties when unchecked in the AWS console, were not updated properly in the AWS > IAM > Account Password Policy > CMDB data, resulting in AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored) control to be inconsistent. This is fixed and now AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored) control will work correctly.

5.6.7 (2020-08-28)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.6.6 (2020-08-13)

Bug fixes

  • The AssumeRolePolicyDocument field for role resources is now properly and consistently sorted.
  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
  • AWS > IAM > Role > Policy Attachments > Required control will remain in the skipped state for AWS service roles.

5.6.5 (2020-07-28)

Bug fixes

  • The AWS > Turbot > Permissions > Compiled > Account Permissions and AWS > Turbot > Permissions > Source policies often timed out during calculation if all AWS mods were installed and enabled at once. This issue has now been fixed.

5.6.4 (2020-07-10)

Bug fixes

  • Updated various resource configurations to provide better compatibility with AWS China regions.

5.6.3 (2020-07-03)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.6.2 (2020-06-23)

Bug fixes

  • The AWS > IAM > Access Key > CMDB control was not properly deleting access keys from CMDB that no longer existed in AWS. This has been fixed.

5.6.1 (2020-06-19)

Bug fixes

  • Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.

5.6.0 (2020-06-17)

Control Types

Added

  • AWS > IAM > Access Key > Usage

Policy Types

Added

  • AWS > IAM > Access Key > Usage
  • AWS > IAM > Access Key > Usage > Limit
  • AWS > IAM > Group > Active > Budget
  • AWS > IAM > Group > Approved > Budget
  • AWS > IAM > Tags Template [Default]

Renamed

  • AWS > IAM > Access Key > Configured > Precedence to AWS > IAM > Access Key > Configured > Claim Precedence
  • AWS > IAM > Account Password Policy > Configured > Precedence to AWS > IAM > Account Password Policy > Configured > Claim Precedence
  • AWS > IAM > Group > Configured > Precedence to AWS > IAM > Group > Configured > Claim Precedence
  • AWS > IAM > Group > Group Policy Attachments > Configured > Precedence to AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence
  • AWS > IAM > Instance Profile > Configured > Precedence to AWS > IAM > Instance Profile > Configured > Claim Precedence
  • AWS > IAM > Policy > Configured > Precedence to AWS > IAM > Policy > Configured > Claim Precedence
  • AWS > IAM > Role > Configured > Precedence to AWS > IAM > Role > Configured > Claim Precedence
  • AWS > IAM > Role > Inline Policy > Configured > Precedence to AWS > IAM > Role > Inline Policy > Configured > Claim Precedence
  • AWS > IAM > Role > Role Policy Attachments > Configured > Precedence to AWS > IAM > Role > Role Policy Attachments > Configured > Claim Precedence
  • AWS > IAM > Root > Configured > Precedence to AWS > IAM > Root > Configured > Claim Precedence
  • AWS > IAM > User > Configured > Precedence to AWS > IAM > User > Configured > Claim Precedence
  • AWS > IAM > User > Group Memberships > Configured > Precedence to AWS > IAM > User > Group Memberships > Configured > Claim Precedence
  • AWS > IAM > User > User Policy Attachments > Configured > Precedence to AWS > IAM > User > User Policy Attachments > Configured > Claim Precedence

5.5.3 (2020-06-11)

Bug fixes

  • Updating the inline policies of user, group or role will automatically update the CMDB of the parent user, group or role respectively.

5.5.2 (2020-06-02)

Bug fixes

  • The credential report CMDB control would sometimes error out when attempting to generate a new credential report. This issue has now been fixed.

5.5.1 (2020-05-26)

Bug fixes

  • After updating a role's trust policy, the role's AKA would be incorrectly updated to no longer include the AWS account ID, e.g., arn:aws:iam:::role/my-role. This has been fixed and the updating a role's trust policy will no longer cause the role's AKA to become malformed. However, roles that have had their AKA modified will remain malformed, so in an upcoming version, a control will be added that fixes these AKAs automatically. As this control is not available yet, a workaround to fix these roles' AKAs today is to re-run their CMDB controls.

5.5.0 (2020-05-19)

What's new?

  • Support for policy values Enforce: User Mode and Check: User Mode has been temporarily withdrawn from AWS > Turbot > Permissions policy. Please note that the changes are backward compatible and it is not going to affect any previous policy settings.

  • AWS > Turbot > Permissions > Superuser Boundary policy when set to No Boundary disables the boundary policy settings on the superuser role. The change is supported in TE ^5.19.0

  • AWS > Turbot > Permissions > Lockdown > API Boundary allows you to define a list of APIs that will be allowed in the Turbot boundary policy. The change is supported in TE ^5.19.0

Bug fixes

  • AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary controls will now remain in skipped state for Turbot managed roles and user instead of invalid state.

  • The AWS > IAM > Credential Report > CMDB control was not retrying properly if the credential report was in the middle of being created. This has been fixed.

Policy Types

Added

  • AWS > Turbot > Permissions > Lockdown > API Boundary
  • AWS > Turbot > Permissions > Superuser Boundary

5.4.2 (2020-05-08)

Bug fixes

  • After detaching a policy from a group, role, or user, the parent was not automatically updated with its current policy attachments. This has been fixed.
  • After creating a user, we would fail to create it in CMDB due to an incorrect resource parent when creating its user group membership resource. Users are now populating the workspace once again.
  • Newly created access keys were created incorrectly under the AWS account instead of the user. Now access keys are created under the user, which should be immensely more useful.

5.4.1 (2020-05-06)

Bug fixes

  • The default value of the AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary policies was changed from Check or Enforce per AWS > Turbot > Permissions to Skip. Now any pre-existing boundary permissions for roles and users will not automatically be replaced as they are discovered by Turbot. If you would still like Turbot to enforce boundary permissions by default for roles and users, please set the AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary policies to Check or Enforce per AWS > Turbot > Permissions.