@turbot/aws-iam

The aws-iam mod contains resource, control and policy definitions for AWS IAM service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for IAM:

Permission	Grant Level	Help
access-analyzer:ApplyArchiveRule	Owner
access-analyzer:CancelPolicyGeneration	Owner
access-analyzer:CreateAccessPreview	Owner
access-analyzer:CreateAnalyzer	Owner
access-analyzer:CreateArchiveRule	Owner
access-analyzer:DeleteAnalyzer	Owner
access-analyzer:DeleteArchiveRule	Owner
access-analyzer:GetAccessPreview	Metadata
access-analyzer:GetAnalyzedResource	Metadata
access-analyzer:GetAnalyzer	Metadata
access-analyzer:GetArchiveRule	Metadata
access-analyzer:GetFinding	Metadata
access-analyzer:GetGeneratedPolicy	Metadata
access-analyzer:ListAccessPreviewFindings	Metadata
access-analyzer:ListAccessPreviews	Metadata
access-analyzer:ListAnalyzedResources	Metadata
access-analyzer:ListAnalyzers	Metadata
access-analyzer:ListArchiveRules	Metadata
access-analyzer:ListFindings	Metadata
access-analyzer:ListPolicyGenerations	Metadata
access-analyzer:ListTagsForResource	Metadata
access-analyzer:StartPolicyGeneration	Owner
access-analyzer:StartResourceScan	Owner
access-analyzer:TagResource	Operator
access-analyzer:UntagResource	Operator
access-analyzer:UpdateArchiveRule	Owner
access-analyzer:UpdateFindings	Owner
access-analyzer:ValidatePolicy	Operator
iam:AddClientIDToOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:AddRoleToInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:AddUserToGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:AttachGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:AttachRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:AttachUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:ChangePassword	None	Users are not allowed to change their own password. Owners may change passwords for users through *LoginProfile permissions.
iam:CreateAccessKey	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:CreateAccountAlias	Owner	Owners can manage the AWS account alias.
iam:CreateGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:CreateInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:CreateLoginProfile	Whitelist	Optionally Owners can create passwords for custom users. Management of Guardrails users is explicitly denied.
iam:CreateOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:CreatePolicy	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:CreatePolicyVersion	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:CreateRole	Owner	Owners can create custom roles.
iam:CreateSAMLProvider	Owner	SAML is not used in Guardrails accounts.
iam:CreateServiceLinkedRole	Owner	Owner can manage service-linked roles.
iam:CreateServiceSpecificCredential	Owner
iam:CreateUser	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:CreateVirtualMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DeactivateMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DeleteAccessKey	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteAccountAlias	Owner	Owners can manage the AWS account alias.
iam:DeleteAccountPasswordPolicy	Owner
iam:DeleteGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DeleteGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DeleteInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteLoginProfile	Whitelist	Optionally Owners can manage passwords for custom users. Management of Guardrails users is explicitly denied. Deletion of the login profile is always allowed so user deletion in the IAM console works.
iam:DeleteOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:DeletePolicy	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:DeletePolicyVersion	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:DeleteRole	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteRolePermissionsBoundary	Owner	Owners can delete permission boundary.
iam:DeleteRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DeleteSAMLProvider	Owner	SAML is not used in Guardrails accounts.
iam:DeleteSSHPublicKey	Owner	Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:DeleteServerCertificate	Owner	Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:DeleteServiceLinkedRole	Owner
iam:DeleteServiceSpecificCredential	Owner
iam:DeleteSigningCertificate	None	SOAP is deprecated by AWS and not supported by Guardrails.
iam:DeleteUser	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteUserPermissionsBoundary	Owner
iam:DeleteUserPermissionsBoundary	Owner	Owners can delete permission boundary.
iam:DeleteUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:DeleteVirtualMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:DetachGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:DetachRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:DetachUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:EnableMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:GenerateCredentialReport	Metadata
iam:GenerateOrganizationsAccessReport	Owner
iam:GenerateServiceLastAccessedDetails	Metadata
iam:GetAccessKeyLastUsed	Metadata
iam:GetAccountAuthorizationDetails	Metadata
iam:GetAccountPasswordPolicy	Metadata
iam:GetAccountSummary	Metadata
iam:GetContextKeysForCustomPolicy	Metadata
iam:GetContextKeysForPrincipalPolicy	Metadata
iam:GetCredentialReport	Metadata
iam:GetGroup	Metadata
iam:GetGroupPolicy	Metadata
iam:GetInstanceProfile	Metadata
iam:GetLoginProfile	Metadata
iam:GetOpenIDConnectProvider	Metadata
iam:GetOrganizationsAccessReport	Metadata
iam:GetPolicy	Metadata
iam:GetPolicyVersion	Metadata
iam:GetRole	Metadata
iam:GetRolePolicy	Metadata
iam:GetSAMLProvider	Metadata
iam:GetSSHPublicKey	Metadata
iam:GetServerCertificate	Metadata
iam:GetServiceLastAccessedDetails	Metadata
iam:GetServiceLastAccessedDetailsWithEntities	Metadata
iam:GetServiceLinkedRoleDeletionStatus	Metadata
iam:GetUser	Metadata
iam:GetUserPolicy	Metadata
iam:ListAccessKeys	Metadata
iam:ListAccountAliases	Metadata
iam:ListAttachedGroupPolicies	Metadata
iam:ListAttachedRolePolicies	Metadata
iam:ListAttachedUserPolicies	Metadata
iam:ListEntitiesForPolicy	Metadata
iam:ListGroupPolicies	Metadata
iam:ListGroups	Metadata
iam:ListGroupsForUser	Metadata
iam:ListInstanceProfileTags	Metadata
iam:ListInstanceProfiles	Metadata
iam:ListInstanceProfilesForRole	Metadata
iam:ListMFADeviceTags	Metadata
iam:ListMFADevices	Metadata
iam:ListOpenIDConnectProviderTags	Metadata
iam:ListOpenIDConnectProviders	Metadata
iam:ListPolicies	Metadata
iam:ListPoliciesGrantingServiceAccess	Metadata
iam:ListPolicyTags	Metadata
iam:ListPolicyVersions	Metadata
iam:ListRolePolicies	Metadata
iam:ListRoleTags	Metadata	Lists the tags on an IAM user.
iam:ListRoles	Metadata
iam:ListSAMLProviderTags	Metadata
iam:ListSAMLProviders	Metadata
iam:ListSSHPublicKeys	Metadata
iam:ListServerCertificateTags	Metadata
iam:ListServerCertificates	Metadata
iam:ListServiceSpecificCredentials	Metadata
iam:ListSigningCertificates	Metadata
iam:ListUserPolicies	Metadata
iam:ListUserTags	Metadata	Lists the tags on an IAM role.
iam:ListUsers	Metadata
iam:ListVirtualMFADevices	Metadata
iam:PassRole	Owner	Owner needs PassRole to allow creation of IAM roles for EC2. This also whitelists it for others to be granted specifically by services. PassRole for Guardrails roles is explicitly denied.
iam:PutGroupPolicy	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:PutRolePermissionsBoundary	Owner	Owners can add permission boundary.
iam:PutRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:PutUserPermissionsBoundary	Owner	Owners can add permission boundary.
iam:PutUserPolicy	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:RemoveClientIDFromOpenIDConnectProvider	None	OpenID is not used in Guardrails accounts.
iam:RemoveRoleFromInstanceProfile	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:RemoveUserFromGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:ResetServiceSpecificCredential	Owner
iam:ResyncMFADevice	Owner	Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied.
iam:SetDefaultPolicyVersion	Owner	Owners can manage custom policies. Management of Guardrails policies is explicitly denied.
iam:SetSecurityTokenServicePreferences	Owner
iam:SimulateCustomPolicy	Metadata	Allow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users.
iam:SimulatePrincipalPolicy	Metadata	Allow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users.
iam:TagInstanceProfile	Operator
iam:TagMFADevice	Operator
iam:TagOpenIDConnectProvider	Operator
iam:TagPolicy	Operator
iam:TagRole	Operator	Creates or modifies the tags on an IAM user.
iam:TagSAMLProvider	Operator
iam:TagServerCertificate	Operator
iam:TagUser	Operator	Creates or modifies the tags on an IAM role.
iam:UntagInstanceProfile	Operator
iam:UntagMFADevice	Operator
iam:UntagOpenIDConnectProvider	Operator
iam:UntagPolicy	Operator
iam:UntagRole	Operator	Removes the tags on an IAM user.
iam:UntagSAMLProvider	Operator
iam:UntagServerCertificate	Operator
iam:UntagUser	Operator	Removes the tags on an IAM role.
iam:UpdateAccessKey	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:UpdateAccountPasswordPolicy	Owner
iam:UpdateAssumeRolePolicy	Owner	Owners can manage custom roles. Management of Guardrails roles is explicitly denied.
iam:UpdateGroup	Owner	Owners can manage custom groups. Management of Guardrails groups is explicitly denied.
iam:UpdateLoginProfile	Whitelist	Optionally Owners can change passwords for custom users. Guardrails users are explicitly denied from managing passwords.
iam:UpdateOpenIDConnectProviderThumbprint	None	OpenID is not used in Guardrails accounts.
iam:UpdateRole	Owner	Updates the description or maximum session duration setting of a role.
iam:UpdateRoleDescription	Owner	Owners can modify the description of a role.
iam:UpdateSAMLProvider	Owner	SAML is not used in Guardrails accounts.
iam:UpdateSSHPublicKey	Owner	Owners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:UpdateServerCertificate	Owner	Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:UpdateServiceSpecificCredential	Owner
iam:UpdateSigningCertificate	None	SOAP is deprecated by AWS and not supported by Guardrails.
iam:UpdateUser	Whitelist	Owners can manage custom users. Management of Guardrails users is explicitly denied.
iam:UploadSSHPublicKey	Owner	Owners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit).
iam:UploadServerCertificate	Owner	Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB).
iam:UploadSigningCertificate	None	SOAP is deprecated by AWS and not supported by Guardrails.
organizations:DescribeOrganization	Metadata
sts:AssumeRole	Operator	Assuming Guardrails roles (determined by path) is explicitly denied.
sts:AssumeRoleWithSAML	Operator	Assuming Guardrails roles (determined by path) is explicitly denied.
sts:AssumeRoleWithWebIdentity	Operator	Assuming Guardrails roles (determined by path) is explicitly denied.
sts:DecodeAuthorizationMessage	Metadata	Users with access to Metadata are granted the ability to decode any authorization failure messages they receive. This aids troubleshooting and is appropriate given they already have access at a Metadata level.

Learn More About Guardrails

Recommended Version

Version

5.32.0

Released On

Sep 11, 2023

Depends On

@turbot/aws ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0

Resource Types

Control Types

Policy Types

Release Notes

5.32.0 (2023-09-11)

Control Types

Added

AWS > IAM > User > Login Profile

Policy Types

Added

AWS > IAM > User > Login Profile

Action Types

Added

AWS > IAM > User > Delete Login Profile

5.31.2 (2023-09-07)

Bug fixes

A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.31.1 (2023-08-11)

Bug fixes

Turbot stack controls would sometimes fail to update IAM policies and Role Policy Attachments if the Terraform plan in the stack's source policy was updated to rename a policy or change a policy's description. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
We've removed support for the now retired aws-portal:* permissions. Things will continue to work smoothly as before.

5.31.0 (2023-08-03)

What's new?

Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

Policy Types

Added

AWS > IAM > Role > Active > Quarantine Policy Name
AWS > IAM > Role > Approved > Quarantine Policy Name

Action Types

Added

AWS > IAM > Role > Attach Inline Policy
AWS > IAM > Role > Attach Quarantine policy
AWS > IAM > Role > Attach Quarantine policy
AWS > IAM > Role > Detach Quarantine policy
AWS > IAM > Role > Detach Quarantine policy

5.30.0 (2023-07-13)

Bug fixes

We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Policy Types

Added

AWS > IAM > User > Active > Recently Used

5.29.0 (2023-06-30)

What's new?

We've added the new fine-grained account:*, consolidatedbilling:*, billing:*, freetier:*, invoicing:*, payments:*, and tax:* permissions which are replacing the existing aws-portal:* permissions soon. Things will continue to work smoothly as before.

5.28.0 (2023-06-16)

What's new?

Resource's metadata will now also include createdBy details in Turbot CMDB.

5.27.1 (2023-05-03)

What's new?

Added support for iam:CreateAccountAlias and iam:DeleteAccountAlias real-time events.

5.27.0 (2023-04-06)

What's new?

Added support for aws_iam_policy_document Terraform resource for AWS > IAM > Policy.

Bug fixes

We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.26.6 (2023-03-23)

Bug fixes

The AWS > IAM > User > Turbot Access Key > Rotation control would fail to rotate the Turbot Access Key correctly after x days if the AWS > IAM > User > Turbot Access Key > Rotation policy was set to Enforce: x day(s). This is now fixed.

5.26.5 (2023-02-02)

Bug fixes

In v5.26.4, we fixed an issue where Turbot would incorrectly upsert Role Policy Attachments via real-time create event when the AWS > IAM > Role > Role Policy Attachments > CMDB was set to Enforce: Disabled. Turns out that the fix did not cover all cases of how the Role Policy Attachments could be upserted incorrectly in Turbot. We've now taken care of all such cases and will not upsert Role Policy Attachments into Turbot CMDB via real-time create event if the CMDB policy is set to Skip or Enforce: Disabled.

5.26.4 (2023-01-11)

Bug fixes

Turbot would incorrectly upsert Role Policy Attachments via real-time create event when the AWS > IAM > Role > Role Policy Attachments > CMDB was set to Enforce: Disabled. The resource eventually got deleted from Turbot via the AWS > IAM > Role > Role Policy Attachments > CMDB control but this create-delete step was unnecessary. We've now handled this better and will not upsert the resource into Turbot CMDB via real-time create event if the CMDB policy is set to Skip or Enforce: Disabled.

5.26.3 (2022-12-20)

Bug fixes

The AWS > IAM > Role > Policy > Trusted Access control would go into an error state due to a mishandled internal variable. This is fixed and the control will work as expected.

5.26.2 (2022-12-13)

Bug fixes

Previously, for any missing Inline Policies or Policy Attachments in Turbot, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Turbot CMDB to allow users to manage their resources more reliably and consistently than before.

5.26.1 (2022-09-27)

Bug fixes

We’ve made a few GraphQL query improvements in the AWS > IAM > Root controls to be lighter and more reliable. You won’t notice any difference but things will now run quicker and smoother than before.

5.26.0 (2022-07-18)

What's new?

Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
Users can now also delete existing Groups, Roles and Users regardless of their creation date. To get started, set the corresponding approved policy to Enforce: Delete unapproved.

Bug fixes

On a rare instance, the AWS > IAM > Role > CMDB control would not fetch the partition value of the account from the AWS > Account > Partition policy correctly and thus would move to an Invalid state. All bases are now covered to fetch the partition value correctly and the control will now work as expected.

Action Types

Added

AWS > IAM > Access Analyzer > Delete from AWS
AWS > IAM > Access Analyzer > Set Tags
AWS > IAM > Access Analyzer > Skip alarm for Active control
AWS > IAM > Access Analyzer > Skip alarm for Active control [90 days]
AWS > IAM > Access Analyzer > Skip alarm for Approved control
AWS > IAM > Access Analyzer > Skip alarm for Approved control [90 days]
AWS > IAM > Access Analyzer > Skip alarm for Tags control
AWS > IAM > Access Analyzer > Skip alarm for Tags control [90 days]
AWS > IAM > Access Key > Delete from AWS
AWS > IAM > Access Key > Skip alarm for Active control
AWS > IAM > Access Key > Skip alarm for Active control [90 days]
AWS > IAM > Group > Delete from AWS
AWS > IAM > Group > Inline Policy > Delete from AWS
AWS > IAM > Group > Inline Policy > Skip alarm for Approved control
AWS > IAM > Group > Inline Policy > Skip alarm for Approved control [90 days]
AWS > IAM > Group > Skip alarm for Active control
AWS > IAM > Group > Skip alarm for Active control [90 days]
AWS > IAM > Group > Skip alarm for Approved control
AWS > IAM > Group > Skip alarm for Approved control [90 days]
AWS > IAM > OpenID Connect > Delete from AWS
AWS > IAM > OpenID Connect > Set Tags
AWS > IAM > OpenID Connect > Skip alarm for Active control
AWS > IAM > OpenID Connect > Skip alarm for Active control [90 days]
AWS > IAM > OpenID Connect > Skip alarm for Approved control
AWS > IAM > OpenID Connect > Skip alarm for Approved control [90 days]
AWS > IAM > OpenID Connect > Skip alarm for Tags control
AWS > IAM > OpenID Connect > Skip alarm for Tags control [90 days]
AWS > IAM > Policy > Delete from AWS
AWS > IAM > Policy > Skip alarm for Active control
AWS > IAM > Policy > Skip alarm for Active control [90 days]
AWS > IAM > Policy > Skip alarm for Approved control
AWS > IAM > Policy > Skip alarm for Approved control [90 days]
AWS > IAM > Role > Delete from AWS
AWS > IAM > Role > Inline Policy > Delete from AWS
AWS > IAM > Role > Inline Policy > Skip alarm for Approved control
AWS > IAM > Role > Inline Policy > Skip alarm for Approved control [90 days]
AWS > IAM > Role > Set Tags
AWS > IAM > Role > Skip alarm for Active control
AWS > IAM > Role > Skip alarm for Active control [90 days]
AWS > IAM > Role > Skip alarm for Approved control
AWS > IAM > Role > Skip alarm for Approved control [90 days]
AWS > IAM > Role > Skip alarm for Tags control
AWS > IAM > Role > Skip alarm for Tags control [90 days]
AWS > IAM > Server Certificate > Delete from AWS
AWS > IAM > Server Certificate > Set Tags
AWS > IAM > Server Certificate > Skip alarm for Active control
AWS > IAM > Server Certificate > Skip alarm for Active control [90 days]
AWS > IAM > Server Certificate > Skip alarm for Approved control
AWS > IAM > Server Certificate > Skip alarm for Approved control [90 days]
AWS > IAM > Server Certificate > Skip alarm for Tags control
AWS > IAM > Server Certificate > Skip alarm for Tags control [90 days]
AWS > IAM > User > Delete from AWS
AWS > IAM > User > Inline Policy > Delete from AWS
AWS > IAM > User > Inline Policy > Skip alarm for Approved control
AWS > IAM > User > Inline Policy > Skip alarm for Approved control [90 days]
AWS > IAM > User > Set Tags
AWS > IAM > User > Skip alarm for Active control
AWS > IAM > User > Skip alarm for Active control [90 days]
AWS > IAM > User > Skip alarm for Approved control
AWS > IAM > User > Skip alarm for Approved control [90 days]
AWS > IAM > User > Skip alarm for Tags control
AWS > IAM > User > Skip alarm for Tags control [90 days]

5.25.0 (2022-06-08)

Control Types

Added

AWS > IAM > Access Analyzer > Configured

Policy Types

Added

AWS > IAM > Access Analyzer > Configured
AWS > IAM > Access Analyzer > Configured > Claim Precedence
AWS > IAM > Access Analyzer > Configured > Source

5.24.0 (2022-05-05)

Resource Types

Added

AWS > IAM > OpenID Connect

Control Types

Added

AWS > IAM > OpenID Connect > Active
AWS > IAM > OpenID Connect > Approved
AWS > IAM > OpenID Connect > CMDB
AWS > IAM > OpenID Connect > Configured
AWS > IAM > OpenID Connect > Discovery
AWS > IAM > OpenID Connect > Tags
AWS > IAM > OpenID Connect > Usage

Policy Types

Added

AWS > IAM > OpenID Connect > Active
AWS > IAM > OpenID Connect > Active > Age
AWS > IAM > OpenID Connect > Active > Last Modified
AWS > IAM > OpenID Connect > Approved
AWS > IAM > OpenID Connect > Approved > Custom
AWS > IAM > OpenID Connect > Approved > Usage
AWS > IAM > OpenID Connect > CMDB
AWS > IAM > OpenID Connect > Configured
AWS > IAM > OpenID Connect > Configured > Claim Precedence
AWS > IAM > OpenID Connect > Configured > Source
AWS > IAM > OpenID Connect > Tags
AWS > IAM > OpenID Connect > Tags > Template
AWS > IAM > OpenID Connect > Usage
AWS > IAM > OpenID Connect > Usage > Limit
AWS > IAM > Role > Active > Recently Used
AWS > Turbot > Permissions > Custom Levels [Folder]

Action Types

Added

AWS > IAM > OpenID Connect > Delete
AWS > IAM > OpenID Connect > Router
AWS > IAM > OpenID Connect > Update Tags

5.23.2 (2022-05-02)

Bug fixes

The AWS > IAM > User > Turbot Access Key > Rotation control would stay in a TBD state if there were no access keys available for the user in Turbot CMDB and the AWS > IAM > User > Turbot Access Key policy was not set. If in TBD, the control will now re-run and move to its intended state correctly.

5.23.1 (2022-04-29)

Bug fixes

The AWS > IAM > User > Turbot Access Key > Rotation control would sometimes create 2 access keys for users inadvertently if the AWS > IAM > User > Turbot Access Key policy was not set by the time the 1st key was created and upserted in Turbot. The control will now wait a few minutes to realize the policy setting for Turbot Access Key and prevent the creation of a 2nd access key.

5.23.0 (2022-04-18)

What's new?

The AWS > Turbot > IAM stack would remove user group memberships for users managed by Turbot when they were attached to groups created outside of Turbot. You can now also manage user group memberships non-exclusively via Turbot. To get started, set the AWS > Turbot > Permissions > User > Group Membership Mode policy.

Policy Types

Added

AWS > Turbot > Permissions > User > Group Membership Mode

5.22.4 (2022-03-29)

Bug fixes

The AWS > Turbot > IAM stack would sometimes incorrectly delete resources if the AWS > Turbot > Permissions policy was switched from Skip to Enforce: User Mode or Enforce: Role Mode and the AWS > Turbot > Permissions > Source policy was empty. This is fixed and the stack will now not attempt to destroy any resources until the source policy is evaluated correctly.

5.22.3 (2022-03-25)

Bug fixes

The AWS > IAM > Role > Policy Attachments > Approved > Compiled Rules policy was evaluated incorrectly if the AWS > IAM > Role > Policy Attachments > Required > Items policy included a list of IAM policies. This is now fixed.

5.22.2 (2022-02-18)

Bug fixes

The AWS > IAM > Group > Approved control would go into an error state for Turbot managed groups if the AWS > IAM > Group > Approved policy was set to check or enforce mode and the AWS > IAM > Group > Approved > Turbot policy was set to Force Approved for Turbot Group. This is fixed and groups will now be Approved for such cases.

5.22.1 (2022-02-17)

Bug fixes

The AWS > IAM > User > Group Membership > CMDB control would go into an error state if the user's group membership was revoked. This is fixed and the group membership will now be deleted from Turbot for such cases.

5.22.0 (2022-02-11)

What's new?

Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

The AWS > Turbot > Permissions > Source policy would not evaluate correctly if the number of AWS > IAM > Login User Names exceeded 300. This is now fixed.
The AWS > Turbot > IAM stack will now not create any service level roles and their role policy attachments if the AWS > Turbot > Permissions policy for an account is set to Enforce: User Mode. This will greatly reduce the number of unnecessary resources that Turbot creates and manages via the stack, and the stack will now run lighter and more reliably than before.
We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Policy Types

Added

AWS > IAM > Access Analyzer > Approved > Custom
AWS > IAM > Group > Approved > Custom
AWS > IAM > Group > Inline Policy > Approved > Custom
AWS > IAM > Policy > Approved > Custom
AWS > IAM > Role > Approved > Custom
AWS > IAM > Role > Inline Policy > Approved > Custom
AWS > IAM > Server Certificate > Approved > Custom
AWS > IAM > User > Approved > Custom
AWS > IAM > User > Inline Policy > Approved > Custom

5.21.0 (2022-01-12)

What's new?

AWS/IAM/Owner, AWS/IAM/Operator and AWS/IAM/Metadata now include permissions for Access-Analyzer Policy Generation and tagging permissions for Instance Profile, MFADevice, Policy, OpenIDConnectProvider and SAMLProvider.

Bug fixes

We've made some improvements to the AWS > Turbot > Permissions > Source policy. There is no noticeable difference and things will continue to run smoothly as expected.

5.20.3 (2021-11-11)

Bug fixes

We've improved the control table's messages for the AWS > IAM > Account Password Policy control to be more precise and helpful. Previously, to understand why one of these controls is in Alarm state, you would need to find the current password policy settings from the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.20.2 (2021-10-27)

Bug fixes

The AWS > IAM > Account Password Policy > Settings control would sometimes incorrectly evaluate the outcome for HardExpiry when the AWS > IAM > Account Password Policy > Settings > Hard Expiry policy was set to Disabled. This is now fixed.
In v5.8.0, we deprecated the AWS > IAM > Role > Trust Relationship Statements > Approved control and its policies in favour of the new AWS > IAM > Role > Policy > Trusted Access > Approved control; however, because the AWS > IAM > Role > Trust Relationship Statements > Approved > Rules policy adds Object Control List (OCL) functionality not available in the AWS > IAM > Role > Policy > Trusted Access > Approved control, this policy is still useful.
The AWS > IAM > Role > Trust Relationship Statements > Approved control, and the AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules and AWS > IAM > Role > Trust Relationship Statements > Approved > Rules policies are no longer considered deprecated and are available for use again.

Control Types

Renamed

AWS > IAM > Role > Trust Relationship Statements [Deprecated] to AWS > IAM > Role > Trust Relationship Statements
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved

Policy Types

Renamed

AWS > IAM > Role > Trust Relationship Statements [Deprecated] to AWS > IAM > Role > Trust Relationship Statements
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Compiled Rules [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Rules
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts [Deprecated]
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers [Deprecated]
AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated] to AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services [Deprecated]

5.20.1 (2021-09-30)

Bug fixes

The AWS > IAM > Account Summary > CMDB control will now re-run every 24 hours to fetch the latest account summary details.

5.20.0 (2021-09-23)

What's new?

Users can now deactivate access keys from the AWS > IAM > Access Key > Active control. To get started, set the AWS > IAM > Active > Active policy to Enforce: Deactivate inactive with x days warning.

Action Types

Added

AWS > IAM > Access Key > Deactivate

5.19.2 (2021-09-17)

Bug fixes

In v5.18.0, we updated the AWS > Turbot > Permissions > Terraform Version policy value to 0.15.*. Due to this update, the AWS > Turbot > IAM control would sometimes go into an error state if the AWS > Turbot > Permissions policy was set to Enforce: User Mode. We've reverted this change temporarily, and the AWS > Turbot > Permissions > Terraform Version policy value is now set to 0.11.* to reduce the possibility of errors.

5.19.1 (2021-09-07)

Bug fixes

The AWS > IAM > Policy > Statements > Approved control would incorrectly go into an Invalid state if all statements in the policy were evaluated to be rejected and the AWS > IAM > Policy > Statements > Approved policy was set to Check: Approved. This is fixed and the control will now move into an Alarm state for such cases.

5.19.0 (2021-09-03)

Resource Types

Added

AWS > IAM > Access Analyzer
AWS > IAM > Server Certificate

Control Types

Added

AWS > IAM > Access Analyzer > Active
AWS > IAM > Access Analyzer > Approved
AWS > IAM > Access Analyzer > CMDB
AWS > IAM > Access Analyzer > Discovery
AWS > IAM > Access Analyzer > Tags
AWS > IAM > Server Certificate > Active
AWS > IAM > Server Certificate > Approved
AWS > IAM > Server Certificate > CMDB
AWS > IAM > Server Certificate > Discovery
AWS > IAM > Server Certificate > Tags
AWS > IAM > Server Certificate > Usage

Policy Types

Added

AWS > IAM > Access Analyzer > Active
AWS > IAM > Access Analyzer > Active > Age
AWS > IAM > Access Analyzer > Active > Last Modified
AWS > IAM > Access Analyzer > Approved
AWS > IAM > Access Analyzer > Approved > Regions
AWS > IAM > Access Analyzer > Approved > Usage
AWS > IAM > Access Analyzer > CMDB
AWS > IAM > Access Analyzer > Regions
AWS > IAM > Access Analyzer > Tags
AWS > IAM > Access Analyzer > Tags > Template
AWS > IAM > Server Certificate > Active
AWS > IAM > Server Certificate > Active > Age
AWS > IAM > Server Certificate > Active > Last Modified
AWS > IAM > Server Certificate > Approved
AWS > IAM > Server Certificate > Approved > Usage
AWS > IAM > Server Certificate > CMDB
AWS > IAM > Server Certificate > Tags
AWS > IAM > Server Certificate > Tags > Template
AWS > IAM > Server Certificate > Usage
AWS > IAM > Server Certificate > Usage > Limit

Action Types

Added

AWS > IAM > Access Analyzer > Delete
AWS > IAM > Access Analyzer > Router
AWS > IAM > Access Analyzer > Update Tags
AWS > IAM > Server Certificate > Delete
AWS > IAM > Server Certificate > Router
AWS > IAM > Server Certificate > Update Tags

5.18.0 (2021-07-28)

What's new?

The AWS > Turbot > Permissions > Terraform Version policy will now be set to 0.15.* by default for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will remain set to 0.11.* by default.

5.17.0 (2021-07-23)

Policy Types

Added

AWS > Turbot > Permissions > Role > Session Timeout
AWS > Turbot > Permissions > User > Access Keys Enabled
AWS > Turbot > Permissions > User > Session Timeout

5.16.0 (2021-07-22)

What's new?

AWS/IAM/Metadata now includes cost explorer permissions.

Bug fixes

The AWS > IAM > Role > Policy > Trusted Access control incorrectly evaluated a policy statement if the statement's Principal was a Federated user and the AWS > IAM > Role > Policy > Trusted Access > Identity Providers policy was set to *. This is now fixed.
The trusted access control also didn't evaluate a policy statement as expected if the statement included an empty Condition. This is also fixed.

5.15.0 (2021-07-08)

What's new?

In a previous version, we added the ability to delete and stop tracking changes to group inline policies and group policy attachments in Turbot CMDB. We've now added this ability across all IAM resource types to help you manage IAM resources better.
We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.14.0 (2021-07-06)

What's new?

Users can now delete and stop tracking changes to group inline policies and group policy attachments in Turbot CMDB by setting the AWS > IAM > Group > Inline Policy > CMDB and AWS > IAM > Group > Group Policy Attachments > CMDB policies to Enforce: Disabled respectively.
The AWS > Turbot > IAM control will now use the AWS > Turbot > Permissions > Terraform Version policy instead of Turbot > Stack Terraform Version [Default] policy to configure resources. The AWS > Turbot > Permissions > Terraform Version policy is read-only and by default set to 0.11.* as it's managed by Turbot.
We've updated the AWS > Turbot > Permissions > Source policy to be read-only as it's managed by Turbot.

Policy Types

Added

AWS > Turbot > Permissions > Terraform Version

5.13.0 (2021-06-25)

What's new?

AWS/IAM/Owner now includes service specific credential and SAML provider permissions.
AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-iam policy now includes access-analyzer:*.

5.12.0 (2021-06-18)

What's new?

IAM user mode is now available to use for permission management in AWS accounts. User mode is another way to manage permissions in an AWS account, with role mode being the primary way today. Instead of using IAM roles, user mode uses IAM users and groups to grant users access to AWS accounts.
We recommend using role mode unless you have a specific requirement to use IAM users and groups.
To get started with user mode, set the policy AWS > Turbot > Permissions to Enforce: User Mode.

Control Types

Added

AWS > IAM > User > Turbot Access Key
AWS > IAM > User > Turbot Access Key > Rotation

Policy Types

Added

AWS > IAM > User > Turbot Access Key
AWS > IAM > User > Turbot Access Key > Rotation
AWS > IAM > User > Turbot Secret Access Key
AWS > Turbot > Permissions > User Boundary

Removed

AWS > Turbot > Permissions > User > Name Prefix

Action Types

Added

AWS > IAM > User > Create or Rotate Turbot Access Key

5.11.3 (2021-06-07)

Bug fixes

The ResponseMetadata.RequestId property for AWS > IAM > User has now been made dynamic to avoid unnecessary notifications in the activity tab.

5.11.2 (2021-05-17)

Bug fixes

The AWS > IAM > Credential Report > CMDB control sometimes wouldn't run at a six-hour interval on a consistent basis. This is now fixed.

5.11.1 (2021-04-16)

Bug fixes

We've made some changes that are too small to notice or too difficult to explain. Everything will continue to run smoothly and as expected.

5.11.0 (2021-04-08)

What's new?

Permissions for IAM access analyzers will now also be managed under the AWS > IAM > Enabled policy. To get started, set this policy to Enabled.

Bug fixes

We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.

5.10.0 (2021-02-23)

What's new?

We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.9.0 (2021-02-05)

Bug fixes

We have decreased the frequency of how often the AWS > IAM > Credential Report > CMDB control runs from every 4 hours to every 6 hours to better avoid throttling errors when attempting to generate the credential report.

Control Types

Added

AWS > IAM > Stack

Policy Types

Added

AWS > IAM > Stack
AWS > IAM > Stack > Secret Variables
AWS > IAM > Stack > Source
AWS > IAM > Stack > Terraform Version
AWS > IAM > Stack > Variables

5.8.3 (2021-01-28)

Bug fixes

The AWS > IAM > Policy > CMDB control would fail to update when a policy was attached to or detached from a group, user or a role. This is now fixed.

5.8.2 (2021-01-13)

Bug fixes

The AWS > IAM > Policy > Statements > Approved control would sometimes go into error if there was only one statement in the IAM policy. This has been fixed.
We've also improved the logging in the AWS > IAM > Policy > Statements > Approved control to better handle policies with a large number of statements to prevent the control from moving to error state.
The language in the details table for the AWS > IAM > Account Password Policy > Settings control has been updated to be more clear when the control is in alarm.

Action Types

Added

AWS > IAM > Policy > Create Version

Removed

AWS > IAM > Policy > Update Statements

5.8.1 (2020-12-22)

What's new?

The AWS > IAM > Account Password Policy > Settings control will now display the result for each password policy item in the control data to easily identify which items passed/failed.

Bug fixes

Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.8.0 (2020-12-11)

Warning

The AWS > IAM > Role > Trust Relationship Statements > Approved control has been deprecated and replaced by the AWS > IAM > Role > Policy > Trusted Access > Approved control. In the next major version (v6.0.0), the AWS > IAM > Role > Trust Relationship Statements control will be removed.

Please note that a key difference between these controls is that the new AWS > IAM > Role > Policy > Trusted Access > Approved control will only check trust relationship policy statements that grant access with "Effect": "Allow", so statements with "Effect": "Deny" will not be checked.

We recommend that you migrate any AWS > IAM > Role > Trust Relationship Statements > Approved policy settings currently set in your workspace to instead use the new AWS > IAM > Role > Policy > Trusted Access policies based on the mappings below:

Old Policy	New Policy
AWS > IAM > Role > Trust Relationship Statements	AWS > IAM > Role > Policy > Trusted Access
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts	AWS > IAM > Role > Policy > Trusted Access > Accounts
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers	AWS > IAM > Role > Policy > Trusted Access > Identity Providers
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services	AWS > IAM > Role > Policy > Trusted Access > Services
AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules	N/A
AWS > IAM > Role > Trust Relationship Statements > Approved > Rules	N/A
N/A	AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions

Bug fixes

The AWS > IAM > User > Discovery and AWS > IAM > Policy > Discovery controls would go into an error state if the resources had alphanumeric characters in their name. This is now fixed.

Control Types

Added

AWS > IAM > Role > Policy
AWS > IAM > Role > Policy > Trusted Access

Renamed

AWS > IAM > Role > Trust Relationship Statements to AWS > IAM > Role > Trust Relationship Statements [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated]

Policy Types

Added

AWS > IAM > Role > Policy
AWS > IAM > Role > Policy > Trusted Access
AWS > IAM > Role > Policy > Trusted Access > Accounts
AWS > IAM > Role > Policy > Trusted Access > Identity Providers
AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions
AWS > IAM > Role > Policy > Trusted Access > Services
AWS > IAM > Trusted Accounts [Default]
AWS > IAM > Trusted Identity Providers [Default]
AWS > IAM > Trusted Organizations [Default]
AWS > IAM > Trusted Services [Default]

Renamed

AWS > IAM > Role > Trust Relationship Statements to AWS > IAM > Role > Trust Relationship Statements [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Compiled Rules [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Rules to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated]
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services to AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated]

Action Types

Added

AWS > IAM > Role > Set Policy Trusted Access

5.7.7 (2020-11-12)

Bug fixes

The inline policies and policy documents for AWS > IAM > Group > Inline Policy, AWS > IAM > Role > Inline Policy and AWS > IAM > User > Inline Policy resources will now be consistently sorted and stored in the CMDB.
We've removed the ResponseMetadata property from the CMDB data of role and group resources since it was getting updated unnecessarily.

5.7.6 (2020-11-06)

Bug fixes

The attached policies and inline policies for AWS > IAM > Group, AWS > IAM > Role, and AWS > IAM > User resources will now be consistently sorted and stored in the CMDB.

5.7.5 (2020-11-06)

Bug fixes

It turns out that the AWS > IAM > Role Policy Attachment activity tab would still show unnecessary reference errors whenever an IAM policy was attached to or detached from a role. This issue has now been fixed and things should run smoothly, as expected.

5.7.4 (2020-11-02)

Bug fixes

The AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts policy now accepts cloudfront as a valid value for easier matching of CloudFront origin access identity (OAI) ARNs.

5.7.3 (2020-10-30)

Bug fixes

The AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts policy now also accepts AWS account IDs as strings for more flexibility.
We've updated the AWS > IAM > Role > Trust Relationship Statements > Approved > Rules > Compiled Rules policy to be read-only as it's managed by Turbot.

5.7.2 (2020-10-23)

Bug fixes

We've improved a few queries for the AWS > IAM > Group > Policy Attachments > Required, AWS > IAM > Role > Policy Attachments > Required and AWS > IAM > User > Policy Attachments > Required controls. There's no noticeable difference, but things should run more smoothly now.

5.7.1 (2020-10-09)

Bug fixes

We have updated the descriptions for all of the AWS > IAM > Account Password Policy > Settings > * policies to include more information on each setting's purpose and its expected data type.

5.7.0 (2020-10-01)

What's new?

We've improved our event handling configuration and now filter which AWS events Turbot listens for based on resources' CMDB policies. If a resource's CMDB policy is not set to Enforce: Enabled, the EventBridge rules will be configured to not send any events for that resource. This will greatly reduce the number of unnecessary events that Turbot listens for and handles today.

Bug fixes

The AWS > IAM > Role Policy Attachment activity tab would show unnecessary reference errors whenever an IAM policy was attached to or detached from a role. This has now been fixed.

Policy Types

Added

AWS > IAM > Access Key > Active > Recently Used
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-iam

Removed

AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-iam

5.6.8 (2020-09-10)

Bug fixes

The Enable password expiration days and Prevent password reuse properties when unchecked in the AWS console, were not updated properly in the AWS > IAM > Account Password Policy > CMDB data, resulting in AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored) control to be inconsistent. This is fixed and now AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored) control will work correctly.

5.6.7 (2020-08-28)

Bug fixes

Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.6.6 (2020-08-13)

Bug fixes

The AssumeRolePolicyDocument field for role resources is now properly and consistently sorted.
In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
AWS > IAM > Role > Policy Attachments > Required control will remain in the skipped state for AWS service roles.

5.6.5 (2020-07-28)

Bug fixes

The AWS > Turbot > Permissions > Compiled > Account Permissions and AWS > Turbot > Permissions > Source policies often timed out during calculation if all AWS mods were installed and enabled at once. This issue has now been fixed.

5.6.4 (2020-07-10)

Bug fixes

Updated various resource configurations to provide better compatibility with AWS China regions.

5.6.3 (2020-07-03)

Bug fixes

Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.6.2 (2020-06-23)

Bug fixes

The AWS > IAM > Access Key > CMDB control was not properly deleting access keys from CMDB that no longer existed in AWS. This has been fixed.

5.6.1 (2020-06-19)

Bug fixes

Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.

5.6.0 (2020-06-17)

Control Types

Added

AWS > IAM > Access Key > Usage

Policy Types

Added

AWS > IAM > Access Key > Usage
AWS > IAM > Access Key > Usage > Limit
AWS > IAM > Group > Active > Budget
AWS > IAM > Group > Approved > Budget
AWS > IAM > Tags Template [Default]

Renamed

AWS > IAM > Access Key > Configured > Precedence to AWS > IAM > Access Key > Configured > Claim Precedence
AWS > IAM > Account Password Policy > Configured > Precedence to AWS > IAM > Account Password Policy > Configured > Claim Precedence
AWS > IAM > Group > Configured > Precedence to AWS > IAM > Group > Configured > Claim Precedence
AWS > IAM > Group > Group Policy Attachments > Configured > Precedence to AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence
AWS > IAM > Instance Profile > Configured > Precedence to AWS > IAM > Instance Profile > Configured > Claim Precedence
AWS > IAM > Policy > Configured > Precedence to AWS > IAM > Policy > Configured > Claim Precedence
AWS > IAM > Role > Configured > Precedence to AWS > IAM > Role > Configured > Claim Precedence
AWS > IAM > Role > Inline Policy > Configured > Precedence to AWS > IAM > Role > Inline Policy > Configured > Claim Precedence
AWS > IAM > Role > Role Policy Attachments > Configured > Precedence to AWS > IAM > Role > Role Policy Attachments > Configured > Claim Precedence
AWS > IAM > Root > Configured > Precedence to AWS > IAM > Root > Configured > Claim Precedence
AWS > IAM > User > Configured > Precedence to AWS > IAM > User > Configured > Claim Precedence
AWS > IAM > User > Group Memberships > Configured > Precedence to AWS > IAM > User > Group Memberships > Configured > Claim Precedence
AWS > IAM > User > User Policy Attachments > Configured > Precedence to AWS > IAM > User > User Policy Attachments > Configured > Claim Precedence

5.5.3 (2020-06-11)

Bug fixes

Updating the inline policies of user, group or role will automatically update the CMDB of the parent user, group or role respectively.

5.5.2 (2020-06-02)

Bug fixes

The credential report CMDB control would sometimes error out when attempting to generate a new credential report. This issue has now been fixed.

5.5.1 (2020-05-26)

Bug fixes

After updating a role's trust policy, the role's AKA would be incorrectly updated to no longer include the AWS account ID, e.g., arn:aws:iam:::role/my-role. This has been fixed and the updating a role's trust policy will no longer cause the role's AKA to become malformed. However, roles that have had their AKA modified will remain malformed, so in an upcoming version, a control will be added that fixes these AKAs automatically. As this control is not available yet, a workaround to fix these roles' AKAs today is to re-run their CMDB controls.

5.5.0 (2020-05-19)

What's new?

Support for policy values Enforce: User Mode and Check: User Mode has been temporarily withdrawn from AWS > Turbot > Permissions policy. Please note that the changes are backward compatible and it is not going to affect any previous policy settings.
AWS > Turbot > Permissions > Superuser Boundary policy when set to No Boundary disables the boundary policy settings on the superuser role. The change is supported in TE ^5.19.0
AWS > Turbot > Permissions > Lockdown > API Boundary allows you to define a list of APIs that will be allowed in the Turbot boundary policy. The change is supported in TE ^5.19.0

Bug fixes

AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary controls will now remain in skipped state for Turbot managed roles and user instead of invalid state.
The AWS > IAM > Credential Report > CMDB control was not retrying properly if the credential report was in the middle of being created. This has been fixed.

Policy Types

Added

AWS > Turbot > Permissions > Lockdown > API Boundary
AWS > Turbot > Permissions > Superuser Boundary

5.4.2 (2020-05-08)

Bug fixes

After detaching a policy from a group, role, or user, the parent was not automatically updated with its current policy attachments. This has been fixed.
After creating a user, we would fail to create it in CMDB due to an incorrect resource parent when creating its user group membership resource. Users are now populating the workspace once again.
Newly created access keys were created incorrectly under the AWS account instead of the user. Now access keys are created under the user, which should be immensely more useful.

5.4.1 (2020-05-06)

Bug fixes

The default value of the AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary policies was changed from Check or Enforce per AWS > Turbot > Permissions to Skip. Now any pre-existing boundary permissions for roles and users will not automatically be replaced as they are discovered by Turbot. If you would still like Turbot to enforce boundary permissions by default for roles and users, please set the AWS > IAM > Role > Boundary and AWS > IAM > User > Boundary policies to Check or Enforce per AWS > Turbot > Permissions.