Control types for @turbot/aws-iam
- AWS > IAM > Access Analyzer > Active
- AWS > IAM > Access Analyzer > Approved
- AWS > IAM > Access Analyzer > CMDB
- AWS > IAM > Access Analyzer > Configured
- AWS > IAM > Access Analyzer > Discovery
- AWS > IAM > Access Analyzer > Tags
- AWS > IAM > Access Key > Active
- AWS > IAM > Access Key > CMDB
- AWS > IAM > Access Key > Configured
- AWS > IAM > Access Key > Discovery
- AWS > IAM > Access Key > Usage
- AWS > IAM > Account Password Policy > CMDB
- AWS > IAM > Account Password Policy > Configured
- AWS > IAM > Account Password Policy > Discovery
- AWS > IAM > Account Password Policy > Settings
- AWS > IAM > Account Summary > CMDB
- AWS > IAM > Account Summary > Discovery
- AWS > IAM > Credential Report > CMDB
- AWS > IAM > Credential Report > Discovery
- AWS > IAM > Group > Active
- AWS > IAM > Group > Approved
- AWS > IAM > Group > CMDB
- AWS > IAM > Group > Configured
- AWS > IAM > Group > Discovery
- AWS > IAM > Group > Group Policy Attachments > Active
- AWS > IAM > Group > Group Policy Attachments > CMDB
- AWS > IAM > Group > Group Policy Attachments > Configured
- AWS > IAM > Group > Group Policy Attachments > Discovery
- AWS > IAM > Group > Inline Policy > Approved
- AWS > IAM > Group > Inline Policy > CMDB
- AWS > IAM > Group > Inline Policy > Discovery
- AWS > IAM > Group > Inline Policy > Statements
- AWS > IAM > Group > Inline Policy > Statements > Approved
- AWS > IAM > Group > Policy Attachments
- AWS > IAM > Group > Policy Attachments > Approved
- AWS > IAM > Group > Policy Attachments > Required
- AWS > IAM > Group > Usage
- AWS > IAM > Instance Profile > CMDB
- AWS > IAM > Instance Profile > Configured
- AWS > IAM > Instance Profile > Discovery
- AWS > IAM > MFA Virtual > Active
- AWS > IAM > MFA Virtual > CMDB
- AWS > IAM > MFA Virtual > Discovery
- AWS > IAM > OpenID Connect > Active
- AWS > IAM > OpenID Connect > Approved
- AWS > IAM > OpenID Connect > CMDB
- AWS > IAM > OpenID Connect > Configured
- AWS > IAM > OpenID Connect > Discovery
- AWS > IAM > OpenID Connect > Tags
- AWS > IAM > OpenID Connect > Usage
- AWS > IAM > Policy > Active
- AWS > IAM > Policy > Approved
- AWS > IAM > Policy > CMDB
- AWS > IAM > Policy > Configured
- AWS > IAM > Policy > Discovery
- AWS > IAM > Policy > Statements
- AWS > IAM > Policy > Statements > Approved
- AWS > IAM > Role > Active
- AWS > IAM > Role > Approved
- AWS > IAM > Role > Boundary
- AWS > IAM > Role > CMDB
- AWS > IAM > Role > Configured
- AWS > IAM > Role > Discovery
- AWS > IAM > Role > Inline Policy > Approved
- AWS > IAM > Role > Inline Policy > CMDB
- AWS > IAM > Role > Inline Policy > Configured
- AWS > IAM > Role > Inline Policy > Discovery
- AWS > IAM > Role > Inline Policy > Statements
- AWS > IAM > Role > Inline Policy > Statements > Approved
- AWS > IAM > Role > Policy
- AWS > IAM > Role > Policy > Trusted Access
- AWS > IAM > Role > Policy Attachments
- AWS > IAM > Role > Policy Attachments > Approved
- AWS > IAM > Role > Policy Attachments > Required
- AWS > IAM > Role > Role Policy Attachments > Active
- AWS > IAM > Role > Role Policy Attachments > CMDB
- AWS > IAM > Role > Role Policy Attachments > Configured
- AWS > IAM > Role > Role Policy Attachments > Discovery
- AWS > IAM > Role > Tags
- AWS > IAM > Role > Trust Relationship Statements
- AWS > IAM > Role > Trust Relationship Statements > Approved
- AWS > IAM > Role > Usage
- AWS > IAM > Root > Approved
- AWS > IAM > Root > CMDB
- AWS > IAM > Root > Configured
- AWS > IAM > Root > Discovery
- AWS > IAM > Server Certificate > Active
- AWS > IAM > Server Certificate > Approved
- AWS > IAM > Server Certificate > CMDB
- AWS > IAM > Server Certificate > Discovery
- AWS > IAM > Server Certificate > Tags
- AWS > IAM > Server Certificate > Usage
- AWS > IAM > Stack
- AWS > IAM > User > Active
- AWS > IAM > User > Approved
- AWS > IAM > User > Boundary
- AWS > IAM > User > CMDB
- AWS > IAM > User > Configured
- AWS > IAM > User > Discovery
- AWS > IAM > User > Group Memberships > CMDB
- AWS > IAM > User > Group Memberships > Configured
- AWS > IAM > User > Group Memberships > Discovery
- AWS > IAM > User > Inline Policy > Approved
- AWS > IAM > User > Inline Policy > CMDB
- AWS > IAM > User > Inline Policy > Discovery
- AWS > IAM > User > Inline Policy > Statements
- AWS > IAM > User > Inline Policy > Statements > Approved
- AWS > IAM > User > Login Profile
- AWS > IAM > User > Policy Attachments
- AWS > IAM > User > Policy Attachments > Approved
- AWS > IAM > User > Policy Attachments > Required
- AWS > IAM > User > Tags
- AWS > IAM > User > Turbot Access Key
- AWS > IAM > User > Turbot Access Key > Rotation
- AWS > IAM > User > Usage
- AWS > IAM > User > User Policy Attachments > Active
- AWS > IAM > User > User Policy Attachments > CMDB
- AWS > IAM > User > User Policy Attachments > Configured
- AWS > IAM > User > User Policy Attachments > Discovery
- AWS > Turbot > IAM
- AWS > Turbot > IAM > Group
- AWS > Turbot > IAM > Group > Managed
- AWS > Turbot > IAM > Managed
- AWS > Turbot > IAM > Policy
- AWS > Turbot > IAM > Policy > Managed
- AWS > Turbot > IAM > Role
- AWS > Turbot > IAM > Role > Managed
- AWS > Turbot > IAM > User
- AWS > Turbot > IAM > User > Managed
AWS > IAM > Access Analyzer > Active
Take an action when an AWS IAM access analyzer is not active based on theAWS > IAM > Access Analyzer > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Analyzer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/accessAnalyzerActive
AWS > IAM > Access Analyzer > Approved
Take an action when an AWS IAM access analyzer is not approved based on AWS > IAM > Access Analyzer > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/accessAnalyzerApproved
AWS > IAM > Access Analyzer > CMDB
Record and synchronize details for the AWS IAM access analyzer into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > IAM > Access Analyzer > Regions
policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)
tmod:@turbot/aws-iam#/control/types/accessAnalyzerCmdb
AWS > IAM > Access Analyzer > Configured
Maintain AWS > IAM > Access Analyzer configuration.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-iam#/control/types/accessAnalyzerConfigured
AWS > IAM > Access Analyzer > Discovery
Discover all AWS IAM access analyzer resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > IAM > Access Analyzer > Regions
policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/aws-iam#/control/types/accessAnalyzerDiscovery
AWS > IAM > Access Analyzer > Tags
Take an action when an AWS IAM access analyzer tags is not updated based on the AWS > IAM > Access Analyzer > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > IAM > Access Analyzer > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-iam#/control/types/accessAnalyzerTags
AWS > IAM > Access Key > Active
Take an action when an AWS IAM access key is not active based on theAWS > IAM > Access Key > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Key > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/accessKeyActive
AWS > IAM > Access Key > CMDB
Record and synchronize details for the AWS IAM access key into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/accessKeyCmdb
AWS > IAM > Access Key > Configured
Maintain AWS > IAM > Access Key configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/accessKeyConfigured
AWS > IAM > Access Key > Discovery
Discover all AWS IAM access key resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/accessKeyDiscovery
AWS > IAM > Access Key > Usage
The Usage control determines whether the number of AWS IAM access key resources exceeds the configured usage limit for this user.
You can configure the behavior of this control with the AWS > IAM > Access Key > Usage
policy, and set the limit with the AWS > IAM > Access Key > Usage > Limit
policy.
tmod:@turbot/aws-iam#/control/types/accessKeyUsage
AWS > IAM > Account Password Policy > CMDB
Record and synchronize details for the AWS IAM Account Password Policy into the CMDB.
tmod:@turbot/aws-iam#/control/types/accountPasswordPolicyCmdb
AWS > IAM > Account Password Policy > Configured
Maintain AWS > IAM > Account Password Policy configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/accountPasswordPolicyConfigured
AWS > IAM > Account Password Policy > Discovery
Discover AWS IAM account password policies for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/accountPasswordPolicyDiscovery
AWS > IAM > Account Password Policy > Settings
Configure the account password policy with the correct settings.
tmod:@turbot/aws-iam#/control/types/accountPasswordPolicySettings
AWS > IAM > Account Summary > CMDB
Record and synchronize details for the AWS IAM account summary into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
This control will automatically re-run every 24 hours because AWS does not currently support real-time events for this resource type.
tmod:@turbot/aws-iam#/control/types/accountSummaryCmdb
AWS > IAM > Account Summary > Discovery
Discover all AWS IAM account summary resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/accountSummaryDiscovery
AWS > IAM > Credential Report > CMDB
Record and synchronize details for the AWS IAM credential report into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
This control will automatically re-run every 6 hours to generate a credential report.
tmod:@turbot/aws-iam#/control/types/credentialReportCmdb
AWS > IAM > Credential Report > Discovery
Discover AWS IAM credential reports for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/credentialReportDiscovery
AWS > IAM > Group > Active
Take an action when an AWS IAM group is not active based on theAWS > IAM > Group > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/groupActive
AWS > IAM > Group > Approved
Take an action when an AWS IAM group is not approved based on AWS > IAM > Group > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/groupApproved
AWS > IAM > Group > CMDB
Record and synchronize details for the AWS IAM group into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/groupCmdb
AWS > IAM > Group > Configured
Maintain AWS > IAM > Group configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/groupConfigured
AWS > IAM > Group > Discovery
Discover all AWS IAM group resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/groupDiscovery
AWS > IAM > Group > Group Policy Attachments > Active
Determines whether the AWS IAM Grouppolicyattachment is current active.
tmod:@turbot/aws-iam#/control/types/groupPolicyAttachmentActive
AWS > IAM > Group > Group Policy Attachments > CMDB
Record and synchronize details for the AWS IAM group policy attachment into the CMDB.
tmod:@turbot/aws-iam#/control/types/groupPolicyAttachmentCmdb
AWS > IAM > Group > Group Policy Attachments > Configured
Maintain AWS > IAM > Group Policy Attachments configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/groupPolicyAttachmentConfigured
AWS > IAM > Group > Group Policy Attachments > Discovery
Discover AWS IAM group policy attachments for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/groupPolicyAttachmentDiscovery
AWS > IAM > Group > Inline Policy > Approved
Take an action when an AWS IAM group inline policy is not approved based on AWS > IAM > Group > Inline Policy > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/groupInlinePolicyApproved
AWS > IAM > Group > Inline Policy > CMDB
Record and synchronize details for the AWS IAM group inline policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/groupInlinePolicyCmdb
AWS > IAM > Group > Inline Policy > Discovery
Discover AWS IAM group inline policies and add them to Turbot.
The Discovery control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and save them to the Guardrails CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/groupInlinePolicyDiscovery
AWS > IAM > Group > Inline Policy > Statements
tmod:@turbot/aws-iam#/control/types/groupInlinePolicyStatements
AWS > IAM > Group > Inline Policy > Statements > Approved
Configure IAM policy statements checking. This control defines whether IAM group inline policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then evaluated.
tmod:@turbot/aws-iam#/control/types/groupInlinePolicyStatementsApproved
AWS > IAM > Group > Policy Attachments
AWS > IAM > Group > Policy Attachments > Approved
Configure AWS IAM group policies binding Approved
checking. This policy
defines whether to verify the IAM group attached policies are approved
(per Approved > Compiled Rules
), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.
tmod:@turbot/aws-iam#/control/types/groupPolicyAttachmentsApproved
AWS > IAM > Group > Policy Attachments > Required
Determines whether AWS > IAM > Group Required policies are attached to the IAM group, as well as take the subsequent action to
add the required policies.
If set to "Enforce: Required > Items", required policies will be added to IAM Group.
tmod:@turbot/aws-iam#/control/types/groupAttachedPoliciesRequired
AWS > IAM > Group > Usage
The Usage control determines whether the number of AWS IAM group resources exceeds the configured usage limit for this account.
You can configure the behavior of this control with the AWS > IAM > Group > Usage
policy, and set the limit with the AWS > IAM > Group > Usage > Limit
policy.
tmod:@turbot/aws-iam#/control/types/groupUsage
AWS > IAM > Instance Profile > CMDB
Record and synchronize details for the AWS IAM instance profile into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note that if CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
tmod:@turbot/aws-iam#/control/types/instanceProfileCmdb
AWS > IAM > Instance Profile > Configured
Maintain AWS > IAM > Instance Profile configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/instanceProfileConfigured
AWS > IAM > Instance Profile > Discovery
Discover AWS IAM instance profiles and add them to Turbot.
The Discovery
control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and
save them to the Guardrails CMDB. Once discovered, resources are then
responsible for tracking changes to themselves through the
CMDB control.
tmod:@turbot/aws-iam#/control/types/instanceProfileDiscovery
AWS > IAM > MFA Virtual > Active
Determines whether the AWS IAM Mfavirtual is current active.
tmod:@turbot/aws-iam#/control/types/mfaVirtualActive
AWS > IAM > MFA Virtual > CMDB
Record and synchronize details for the AWS IAM mfa virtual into the CMDB.
tmod:@turbot/aws-iam#/control/types/mfaVirtualCmdb
AWS > IAM > MFA Virtual > Discovery
Discover AWS IAM Multi Factor Authentication(MFA) Virtuals for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/mfaVirtualDiscovery
AWS > IAM > OpenID Connect > Active
Take an action when an AWS IAM openid connect is not active based on theAWS > IAM > OpenID Connect > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > OpenID Connect > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/openIdConnectActive
AWS > IAM > OpenID Connect > Approved
Take an action when an AWS IAM openid connect is not approved based on AWS > IAM > OpenID Connect > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/openIdConnectApproved
AWS > IAM > OpenID Connect > CMDB
Record and synchronize details for the AWS IAM openid connect into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/openIdConnectCmdb
AWS > IAM > OpenID Connect > Configured
Maintain AWS > IAM > OpenID Connect configuration.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-iam#/control/types/openIdConnectConfigured
AWS > IAM > OpenID Connect > Discovery
Discover all AWS IAM openid connect resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/openIdConnectDiscovery
AWS > IAM > OpenID Connect > Tags
Take an action when an AWS IAM openid connect tags is not updated based on the AWS > IAM > OpenID Connect > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > IAM > OpenID Connect > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-iam#/control/types/openIdConnectTags
AWS > IAM > OpenID Connect > Usage
The Usage control determines whether the number of AWS IAM openid connect resources exceeds the configured usage limit for this account.
You can configure the behavior of this control with the AWS > IAM > OpenID Connect > Usage
policy, and set the limit with the AWS > IAM > OpenID Connect > Usage > Limit
policy.
tmod:@turbot/aws-iam#/control/types/openIdConnectUsage
AWS > IAM > Policy > Active
Take an action when an AWS IAM policy is not active based on theAWS > IAM > Policy > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Policy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/iamPolicyActive
AWS > IAM > Policy > Approved
Take an action when an AWS IAM policy is not approved based on AWS > IAM > Policy > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/iamPolicyApproved
AWS > IAM > Policy > CMDB
Record and synchronize details for the AWS IAM policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/iamPolicyCmdb
AWS > IAM > Policy > Configured
Maintain AWS > IAM > Policy configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/iamPolicyConfigured
AWS > IAM > Policy > Discovery
Discover all AWS IAM policy resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/iamPolicyDiscovery
AWS > IAM > Policy > Statements
AWS > IAM > Policy > Statements > Approved
Configure IAM policy statements checking. This control defines whether IAM policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then evaluated.
tmod:@turbot/aws-iam#/control/types/statementsApproved
AWS > IAM > Role > Active
Take an action when an AWS IAM role is not active based on theAWS > IAM > Role > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Role > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/roleActive
AWS > IAM > Role > Approved
Take an action when an AWS IAM role is not approved based on AWS > IAM > Role > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/roleApproved
AWS > IAM > Role > Boundary
Configure which boundary policy to apply to the IAM role.
This must be the name of an existing AWS IAM Boundary policy.
AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.
If set to Check or Enforce per AWS > Turbot > Permissions
(the default),
the boundary will be enforced if Turbot > Permissions are enforced, checked
if Turbot > Permissions are checked, and skippped if Turbot Permissions
are none or skip
tmod:@turbot/aws-iam#/control/types/roleBoundary
AWS > IAM > Role > CMDB
Record and synchronize details for the AWS IAM role into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/roleCmdb
AWS > IAM > Role > Configured
Maintain AWS > IAM > Role configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/roleConfigured
AWS > IAM > Role > Discovery
Discover all AWS IAM role resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/roleDiscovery
AWS > IAM > Role > Inline Policy > Approved
Take an action when an AWS IAM role inline policy is not approved based on AWS > IAM > Role > Inline Policy > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/roleInlinePolicyApproved
AWS > IAM > Role > Inline Policy > CMDB
Record and synchronize details for the AWS IAM role inline policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/roleInlinePolicyCmdb
AWS > IAM > Role > Inline Policy > Configured
Maintain AWS > IAM > Inline Policy configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/roleInlinePolicyConfigured
AWS > IAM > Role > Inline Policy > Discovery
Discover AWS IAM role inline policies and add them to Turbot.
The Discovery
control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and
save them to the Guardrails CMDB. Once discovered, resources are then
responsible for tracking changes to themselves through the
CMDB control.
tmod:@turbot/aws-iam#/control/types/roleInlinePolicyDiscovery
AWS > IAM > Role > Inline Policy > Statements
tmod:@turbot/aws-iam#/control/types/roleInlinePolicyStatements
AWS > IAM > Role > Inline Policy > Statements > Approved
Configure IAM Role inline policy statements checking. This control defines whether IAM policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then evaluated.
tmod:@turbot/aws-iam#/control/types/roleInlinePolicyStatementsApproved
AWS > IAM > Role > Policy
tmod:@turbot/aws-iam#/control/types/rolePolicy
AWS > IAM > Role > Policy > Trusted Access
Take an action when AWS IAM role policy is not trusted based on theAWS > IAM > Role > Policy > Trusted Access > *
policies.
The Trusted Access control evaluates the role policy against the list of allowed
members in each of the Trusted Access sub-policies (Trusted Access > Accounts,
Trusted Access > Services etc.), this control raises an alarm and takes the
defined enforcement action.
The account that owns the role will always be trusted, even if its account ID is
not included in the Trusted Accounts policy.
If set to Enforce: Revoke untrusted access
, access to non-trusted
members will be removed.
tmod:@turbot/aws-iam#/control/types/rolePolicyTrustedAccess
AWS > IAM > Role > Policy Attachments
AWS > IAM > Role > Policy Attachments > Approved
Configure AWS IAM role policies binding Approved
checking. This policy
defines whether to verify the IAM role attached policies are approved
(per Approved > Compiled Rules
), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.
tmod:@turbot/aws-iam#/control/types/rolePolicyAttachmentsApproved
AWS > IAM > Role > Policy Attachments > Required
Determines whether AWS > IAM > Role Required policies are attached to the IAM role, as well as take the subsequent action to add the required policies. If set to "Enforce:Required > Items", required policies will be added to IAM Role.
tmod:@turbot/aws-iam#/control/types/roleAttachedPoliciesRequired
AWS > IAM > Role > Role Policy Attachments > Active
Determines whether the AWS IAM Rolepolicyattachment is current active.
tmod:@turbot/aws-iam#/control/types/rolePolicyAttachmentActive
AWS > IAM > Role > Role Policy Attachments > CMDB
Record and synchronize details for the AWS IAM Role-policy attachment into the CMDB.
tmod:@turbot/aws-iam#/control/types/rolePolicyAttachmentCmdb
AWS > IAM > Role > Role Policy Attachments > Configured
Maintain AWS > IAM > Role Policy Attachments configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/rolePolicyAttachmentConfigured
AWS > IAM > Role > Role Policy Attachments > Discovery
Discover AWS IAM role policy attachments for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/rolePolicyAttachmentDiscovery
AWS > IAM > Role > Tags
Take an action when an AWS IAM role tags is not updated based on the AWS > IAM > Role > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > IAM > Role > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-iam#/control/types/roleTags
AWS > IAM > Role > Trust Relationship Statements
tmod:@turbot/aws-iam#/control/types/trustRelationshipStatements
AWS > IAM > Role > Trust Relationship Statements > Approved
Configure Role trust relationship policy statements checking. This control defines whether role trust policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then evaluated.
If set to Enforce: Delete unapproved
, any unapproved principal will be
revoked from the role trust policy.
tmod:@turbot/aws-iam#/control/types/trustRelationshipStatementsApproved
AWS > IAM > Role > Usage
The Usage control determines whether the number of AWS IAM role resources exceeds the configured usage limit for this account.
You can configure the behavior of this control with the AWS > IAM > Role > Usage
policy, and set the limit with the AWS > IAM > Role > Usage > Limit
policy.
tmod:@turbot/aws-iam#/control/types/roleUsage
AWS > IAM > Root > Approved
Take an action when an AWS IAM root is not approved based on AWS > IAM > Root > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/rootApproved
AWS > IAM > Root > CMDB
Record and synchronize details for the AWS IAM Root User into the CMDB.
tmod:@turbot/aws-iam#/control/types/rootCmdb
AWS > IAM > Root > Configured
Maintain AWS > IAM > Root configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/rootConfigured
AWS > IAM > Root > Discovery
Discover AWS IAM root user for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/rootDiscovery
AWS > IAM > Server Certificate > Active
Take an action when an AWS IAM server certificate is not active based on theAWS > IAM > Server Certificate > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Server Certificate > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/serverCertificateActive
AWS > IAM > Server Certificate > Approved
Take an action when an AWS IAM server certificate is not approved based on AWS > IAM > Server Certificate > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/serverCertificateApproved
AWS > IAM > Server Certificate > CMDB
Record and synchronize details for the AWS IAM server certificate into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
This control will automatically re-run every 24 hours because AWS does not currently support real-time events for this resource type.
tmod:@turbot/aws-iam#/control/types/serverCertificateCmdb
AWS > IAM > Server Certificate > Discovery
Discover all AWS IAM server certificate resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/serverCertificateDiscovery
AWS > IAM > Server Certificate > Tags
Take an action when an AWS IAM server certificate tags is not updated based on the AWS > IAM > Server Certificate > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > IAM > Server Certificate > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-iam#/control/types/serverCertificateTags
AWS > IAM > Server Certificate > Usage
The Usage control determines whether the number of AWS IAM server certificate resources exceeds the configured usage limit for this account.
You can configure the behavior of this control with the AWS > IAM > Server Certificate > Usage
policy, and set the limit with the AWS > IAM > Server Certificate > Usage > Limit
policy.
tmod:@turbot/aws-iam#/control/types/serverCertificateUsage
AWS > IAM > Stack
Configure a custom stack on AWS, per the custom Stack > Source
.
A Guardrails Stack
is a set of resources configured by Turbot, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured
control.
tmod:@turbot/aws-iam#/control/types/iamStack
AWS > IAM > User > Active
Take an action when an AWS IAM user is not active based on theAWS > IAM > User > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > User > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/control/types/userActive
AWS > IAM > User > Approved
Take an action when an AWS IAM user is not approved based on AWS > IAM > User > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/userApproved
AWS > IAM > User > Boundary
Configure which boundary policy to apply to the IAM user.
This must be the name of an existing AWS IAM Boundary policy.
AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.
If set to Check or Enforce per AWS > Turbot > Permissions
(the default),
the boundary will be enforced if Turbot > Permissions are enforced, checked
if Turbot > Permissions are checked, and skippped if Guardrails Permissions
are none or skip
tmod:@turbot/aws-iam#/control/types/userBoundary
AWS > IAM > User > CMDB
Record and synchronize details for the AWS IAM user into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/userCmdb
AWS > IAM > User > Configured
Maintain AWS > IAM > User configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/userConfigured
AWS > IAM > User > Discovery
Discover all AWS IAM user resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/aws-iam#/control/types/userDiscovery
AWS > IAM > User > Group Memberships > CMDB
Record and synchronize details for the AWS IAM user group membership into the CMDB.
tmod:@turbot/aws-iam#/control/types/userGroupMembershipsCmdb
AWS > IAM > User > Group Memberships > Configured
Maintain AWS > IAM > Group Memberships configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/userGroupMembershipsConfigured
AWS > IAM > User > Group Memberships > Discovery
Discover AWS IAM user group memberships for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/userGroupMembershipsDiscovery
AWS > IAM > User > Inline Policy > Approved
Take an action when an AWS IAM user inline policy is not approved based on AWS > IAM > User > Inline Policy > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/control/types/userInlinePolicyApproved
AWS > IAM > User > Inline Policy > CMDB
Record and synchronize details for the AWS IAM user inline policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/control/types/userInlinePolicyCmdb
AWS > IAM > User > Inline Policy > Discovery
Discover AWS IAM user inline policies and add them to Turbot.
The Discovery
control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and
save them to the Guardrails CMDB. Once discovered, resources are then
responsible for tracking changes to themselves through the
CMDB control.
tmod:@turbot/aws-iam#/control/types/userInlinePolicyDiscovery
AWS > IAM > User > Inline Policy > Statements
tmod:@turbot/aws-iam#/control/types/userInlinePolicyStatements
AWS > IAM > User > Inline Policy > Statements > Approved
Configure IAM policy statements checking. This control defines whether IAM policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then evaluated.
tmod:@turbot/aws-iam#/control/types/userInlinePolicyStatementsApproved
AWS > IAM > User > Login Profile
Configure whether to remove Login Profile for a User.
tmod:@turbot/aws-iam#/control/types/userLoginProfile
AWS > IAM > User > Policy Attachments
AWS > IAM > User > Policy Attachments > Approved
Configure AWS IAM user policies binding Approved
checking. This policy
defines whether to verify the IAM user attached policies are approved
(per Approved > Compiled Rules
), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.
tmod:@turbot/aws-iam#/control/types/userPolicyAttachmentsApproved
AWS > IAM > User > Policy Attachments > Required
Determines whether the AWS IAM user can exist based on the settings for the AWS > IAM > Required Policies in Turbot.
tmod:@turbot/aws-iam#/control/types/userAttachedPoliciesRequired
AWS > IAM > User > Tags
Take an action when an AWS IAM user tags is not updated based on the AWS > IAM > User > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > IAM > User > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-iam#/control/types/userTags
AWS > IAM > User > Turbot Access Key
Guardrails access key root.
AWS > IAM > User > Turbot Access Key > Rotation
Create or rotate the Guardrails managed access key for the user.
tmod:@turbot/aws-iam#/control/types/userTurbotAccessKeyRotation
AWS > IAM > User > Usage
The Usage control determines whether the number of AWS IAM user resources exceeds the configured usage limit for this account.
You can configure the behavior of this control with the AWS > IAM > User > Usage
policy, and set the limit with the AWS > IAM > User > Usage > Limit
policy.
tmod:@turbot/aws-iam#/control/types/userUsage
AWS > IAM > User > User Policy Attachments > Active
Determines whether the AWS IAM Userpolicyattachment is current active.
tmod:@turbot/aws-iam#/control/types/userPolicyAttachmentActive
AWS > IAM > User > User Policy Attachments > CMDB
Record and synchronize details for the AWS IAM user policy attachment into the CMDB.
tmod:@turbot/aws-iam#/control/types/userPolicyAttachmentCmdb
AWS > IAM > User > User Policy Attachments > Configured
Maintain AWS > IAM > User Policy Attachments configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/control/types/userPolicyAttachmentConfigured
AWS > IAM > User > User Policy Attachments > Discovery
Discover AWS IAM user policy attachments for record in the CMDB.
tmod:@turbot/aws-iam#/control/types/userPolicyAttachmentDiscovery
AWS > Turbot > IAM
Maintain configuration of IAM resources.
tmod:@turbot/aws-iam#/control/types/iamTurbot
AWS > Turbot > IAM > Group
AWS > Turbot > IAM > Group > Managed
The control oversees the creation, updating, and deletion of Turbot-managed IAM groups. It also manages the association and disassociation of users to the group. An essential part of this control is its ability to handle policy attachments to group, ensuring that only authorized policies are associated, thereby maintaining strict access control and compliance.
tmod:@turbot/aws-iam#/control/types/iamTurbotGroupManaged
AWS > Turbot > IAM > Managed
The control automates the creation of new IAM resources based on predefined IAM policies. Its primary function is to facilitate the initial setup of resources, without taking charge of subsequent updates or deletions.
tmod:@turbot/aws-iam#/control/types/iamTurbotManaged
AWS > Turbot > IAM > Policy
AWS > Turbot > IAM > Policy > Managed
The control is responsible for maintaining the lifecycle of Turbot-managed IAM policies, this control ensures that policies are always up-to-date and removes them when they are no longer required. This continuous monitoring and management help in maintaining the security posture and compliance of IAM policies across the organization.
tmod:@turbot/aws-iam#/control/types/iamTurbotPolicyManaged
AWS > Turbot > IAM > Role
AWS > Turbot > IAM > Role > Managed
The control ensures that Turbot-managed roles are accurately maintained, including updates and deletions as necessary. This control is key to managing role-based access controls, including the attachment of policies to roles and the enforcement of lockdown, deny, and boundary policy attachments.
tmod:@turbot/aws-iam#/control/types/iamTurbotRoleManaged
AWS > Turbot > IAM > User
AWS > Turbot > IAM > User > Managed
The control focuses on the Turbot-managed user accounts, this control updates and deletes user accounts based on their assignment status. It also applies necessary lockdown, boundary, and deny policies to user accounts, further tightening security. Additionally, it controls group memberships by removing users from groups that are associated outside of Turbot, depending on the policy AWS > Turbot > Permissions > User > Group Membership Mode
. This ensures that user access levels are consistently managed and aligned with the organization's access control policies.
tmod:@turbot/aws-iam#/control/types/iamTurbotUserManaged