Control types for @turbot/aws-iam

• AWS > IAM > Access Analyzer > Active
• AWS > IAM > Access Analyzer > Approved
• AWS > IAM > Access Analyzer > CMDB
• AWS > IAM > Access Analyzer > Configured
• AWS > IAM > Access Analyzer > Discovery
• AWS > IAM > Access Analyzer > Tags
• AWS > IAM > Access Key > Active
• AWS > IAM > Access Key > CMDB
• AWS > IAM > Access Key > Configured
• AWS > IAM > Access Key > Discovery
• AWS > IAM > Access Key > Usage
• AWS > IAM > Account Password Policy > CMDB
• AWS > IAM > Account Password Policy > Configured
• AWS > IAM > Account Password Policy > Discovery
• AWS > IAM > Account Password Policy > Settings
• AWS > IAM > Account Summary > CMDB
• AWS > IAM > Account Summary > Discovery
• AWS > IAM > Credential Report > CMDB
• AWS > IAM > Credential Report > Discovery
• AWS > IAM > Group > Active
• AWS > IAM > Group > Approved
• AWS > IAM > Group > CMDB
• AWS > IAM > Group > Configured
• AWS > IAM > Group > Discovery
• AWS > IAM > Group > Group Policy Attachments > Active
• AWS > IAM > Group > Group Policy Attachments > CMDB
• AWS > IAM > Group > Group Policy Attachments > Configured
• AWS > IAM > Group > Group Policy Attachments > Discovery
• AWS > IAM > Group > Inline Policy > Approved
• AWS > IAM > Group > Inline Policy > CMDB
• AWS > IAM > Group > Inline Policy > Discovery
• AWS > IAM > Group > Inline Policy > Statements
• AWS > IAM > Group > Inline Policy > Statements > Approved
• AWS > IAM > Group > Policy Attachments
• AWS > IAM > Group > Policy Attachments > Approved
• AWS > IAM > Group > Policy Attachments > Required
• AWS > IAM > Group > Usage
• AWS > IAM > Instance Profile > CMDB
• AWS > IAM > Instance Profile > Configured
• AWS > IAM > Instance Profile > Discovery
• AWS > IAM > MFA Virtual > Active
• AWS > IAM > MFA Virtual > CMDB
• AWS > IAM > MFA Virtual > Discovery
• AWS > IAM > OpenID Connect > Active
• AWS > IAM > OpenID Connect > Approved
• AWS > IAM > OpenID Connect > CMDB
• AWS > IAM > OpenID Connect > Configured
• AWS > IAM > OpenID Connect > Discovery
• AWS > IAM > OpenID Connect > Tags
• AWS > IAM > OpenID Connect > Usage
• AWS > IAM > Policy > Active
• AWS > IAM > Policy > Approved
• AWS > IAM > Policy > CMDB
• AWS > IAM > Policy > Configured
• AWS > IAM > Policy > Discovery
• AWS > IAM > Policy > Statements
• AWS > IAM > Policy > Statements > Approved
• AWS > IAM > Role > Active
• AWS > IAM > Role > Approved
• AWS > IAM > Role > Boundary
• AWS > IAM > Role > CMDB
• AWS > IAM > Role > Configured
• AWS > IAM > Role > Discovery
• AWS > IAM > Role > Inline Policy > Approved
• AWS > IAM > Role > Inline Policy > CMDB
• AWS > IAM > Role > Inline Policy > Configured
• AWS > IAM > Role > Inline Policy > Discovery
• AWS > IAM > Role > Inline Policy > Statements
• AWS > IAM > Role > Inline Policy > Statements > Approved
• AWS > IAM > Role > Policy
• AWS > IAM > Role > Policy > Trusted Access
• AWS > IAM > Role > Policy Attachments
• AWS > IAM > Role > Policy Attachments > Approved
• AWS > IAM > Role > Policy Attachments > Required
• AWS > IAM > Role > Role Policy Attachments > Active
• AWS > IAM > Role > Role Policy Attachments > CMDB
• AWS > IAM > Role > Role Policy Attachments > Configured
• AWS > IAM > Role > Role Policy Attachments > Discovery
• AWS > IAM > Role > Tags
• AWS > IAM > Role > Trust Relationship Statements
• AWS > IAM > Role > Trust Relationship Statements > Approved
• AWS > IAM > Role > Usage
• AWS > IAM > Root > CMDB
• AWS > IAM > Root > Configured
• AWS > IAM > Root > Discovery
• AWS > IAM > Server Certificate > Active
• AWS > IAM > Server Certificate > Approved
• AWS > IAM > Server Certificate > CMDB
• AWS > IAM > Server Certificate > Discovery
• AWS > IAM > Server Certificate > Tags
• AWS > IAM > Server Certificate > Usage
• AWS > IAM > Stack
• AWS > IAM > User > Active
• AWS > IAM > User > Approved
• AWS > IAM > User > Boundary
• AWS > IAM > User > CMDB
• AWS > IAM > User > Configured
• AWS > IAM > User > Discovery
• AWS > IAM > User > Group Memberships > CMDB
• AWS > IAM > User > Group Memberships > Configured
• AWS > IAM > User > Group Memberships > Discovery
• AWS > IAM > User > Inline Policy > Approved
• AWS > IAM > User > Inline Policy > CMDB
• AWS > IAM > User > Inline Policy > Discovery
• AWS > IAM > User > Inline Policy > Statements
• AWS > IAM > User > Inline Policy > Statements > Approved
• AWS > IAM > User > Login Profile
• AWS > IAM > User > Policy Attachments
• AWS > IAM > User > Policy Attachments > Approved
• AWS > IAM > User > Policy Attachments > Required
• AWS > IAM > User > Tags
• AWS > IAM > User > Turbot Access Key
• AWS > IAM > User > Turbot Access Key > Rotation
• AWS > IAM > User > Usage
• AWS > IAM > User > User Policy Attachments > Active
• AWS > IAM > User > User Policy Attachments > CMDB
• AWS > IAM > User > User Policy Attachments > Configured
• AWS > IAM > User > User Policy Attachments > Discovery
• AWS > Turbot > IAM

AWS > IAM > Access Analyzer > Active

Take an action when an AWS IAM access analyzer is not active based on the\nAWS > IAM > Access Analyzer > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > Access Analyzer > Approved

Take an action when an AWS IAM access analyzer is not approved based on AWS > IAM > Access Analyzer > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > Access Analyzer > CMDB

Record and synchronize details for the AWS IAM access analyzer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > IAM > Access Analyzer > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)\n

AWS > IAM > Access Analyzer > Configured

Maintain AWS > IAM > Access Analyzer configuration.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n

AWS > IAM > Access Analyzer > Discovery

Discover all AWS IAM access analyzer resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n\nNote that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > IAM > Access Analyzer > Regions policy, the CMDB control will delete the resource from the CMDB.\n

AWS > IAM > Access Analyzer > Tags

Take an action when an AWS IAM access analyzer tags is not updated based on the AWS > IAM > Access Analyzer > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > IAM > Access Analyzer > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

AWS > IAM > Access Key > Active

Take an action when an AWS IAM access key is not active based on the\nAWS > IAM > Access Key > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > Access Key > CMDB

Record and synchronize details for the AWS IAM access key into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > Access Key > Configured

Maintain AWS > IAM > Access Key configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Access Key > Discovery

Discover all AWS IAM access key resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > Access Key > Usage

The Usage control determines whether the number of AWS IAM access key resources exceeds the configured usage limit for this user.\n\nYou can configure the behavior of this control with the AWS > IAM > Access Key > Usage policy, and set the limit with the AWS > IAM > Access Key > Usage > Limit policy.\n

AWS > IAM > Account Password Policy > CMDB

Record and synchronize details for the AWS IAM Account Password Policy into the CMDB.

AWS > IAM > Account Password Policy > Configured

Maintain AWS > IAM > Account Password Policy configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Account Password Policy > Discovery

Discover AWS IAM account password policies for record in the CMDB.

AWS > IAM > Account Password Policy > Settings

Configure the account password policy with the correct settings.

AWS > IAM > Account Summary > CMDB

Record and synchronize details for the AWS IAM account summary into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nThis control will automatically re-run every 24 hours because AWS does not currently support real-time events for this resource type.\n

AWS > IAM > Account Summary > Discovery

Discover all AWS IAM account summary resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > Credential Report > CMDB

Record and synchronize details for the AWS IAM credential report into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nThis control will automatically re-run every 6 hours to generate a credential report.\n

AWS > IAM > Credential Report > Discovery

Discover AWS IAM credential reports for record in the CMDB.

AWS > IAM > Group > Active

Take an action when an AWS IAM group is not active based on the\nAWS > IAM > Group > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > Group > Approved

Take an action when an AWS IAM group is not approved based on AWS > IAM > Group > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > Group > CMDB

Record and synchronize details for the AWS IAM group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > Group > Configured

Maintain AWS > IAM > Group configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Group > Discovery

Discover all AWS IAM group resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > Group > Group Policy Attachments > Active

Determines whether the AWS IAM Grouppolicyattachment is current active.

AWS > IAM > Group > Group Policy Attachments > CMDB

Record and synchronize details for the AWS IAM group policy attachment into the CMDB.

AWS > IAM > Group > Group Policy Attachments > Configured

Maintain AWS > IAM > Group Policy Attachments configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Group > Group Policy Attachments > Discovery

Discover AWS IAM group policy attachments for record in the CMDB.

AWS > IAM > Group > Inline Policy > Approved

Take an action when an AWS IAM group inline policy is not approved based on AWS > IAM > Group > Inline Policy > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > Group > Inline Policy > CMDB

Record and synchronize details for the AWS IAM group inline policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > Group > Inline Policy > Discovery

Discover AWS IAM group inline policies and add them to Turbot.\n\nThe Discovery control is tasked with identifying instances for a particular resource.\nThe Discovery control will periodically search for new target resources and save them to the Guardrails CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > Group > Inline Policy > Statements

AWS > IAM > Group > Inline Policy > Statements > Approved

Configure IAM policy statements checking. This control defines whether IAM group inline policy statements\nare approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then evaluated.\n

AWS > IAM > Group > Policy Attachments

AWS > IAM > Group > Policy Attachments > Approved

Configure AWS IAM group policies binding Approved checking. This policy\ndefines whether to verify the IAM group attached policies are approved\n(per Approved > Compiled Rules), as well as the subsequent action to\ntake on unapproved items.\nIf set to "Enforce: Delete unapproved", any unapproved attached policy\nwill be removed.\n

AWS > IAM > Group > Policy Attachments > Required

Determines whether AWS > IAM > Group Required policies are attached to the IAM group, as well as take the subsequent action to\nadd the required policies.\nIf set to "Enforce: Required > Items", required policies will be added to IAM Group.\n

AWS > IAM > Group > Usage

The Usage control determines whether the number of AWS IAM group resources exceeds the configured usage limit for this account.\n\nYou can configure the behavior of this control with the AWS > IAM > Group > Usage policy, and set the limit with the AWS > IAM > Group > Usage > Limit policy.\n

AWS > IAM > Instance Profile > CMDB

Record and synchronize details for the AWS IAM instance profile into the CMDB.\n\nThe CMDB control is\nresponsible for populating and updating all the attributes for that\nresource type in the Guardrails CMDB.\n\nNote that if CMDB is set to Skip for a resource, then it will not be added\nto the CMDB, and no controls that target it will run.\n

AWS > IAM > Instance Profile > Configured

Maintain AWS > IAM > Instance Profile configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Instance Profile > Discovery

Discover AWS IAM instance profiles and add them to Turbot.\n\nThe Discovery\ncontrol is tasked with identifying instances for a particular resource.\nThe Discovery control will periodically search for new target resources and\nsave them to the Guardrails CMDB. Once discovered, resources are then\nresponsible for tracking changes to themselves through the\nCMDB control.\n

AWS > IAM > MFA Virtual > Active

Determines whether the AWS IAM Mfavirtual is current active.

AWS > IAM > MFA Virtual > CMDB

Record and synchronize details for the AWS IAM mfa virtual into the CMDB.

AWS > IAM > MFA Virtual > Discovery

Discover AWS IAM Multi Factor Authentication(MFA) Virtuals for record in the CMDB.

AWS > IAM > OpenID Connect > Active

Take an action when an AWS IAM openid connect is not active based on the\nAWS > IAM > OpenID Connect > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > OpenID Connect > Approved

Take an action when an AWS IAM openid connect is not approved based on AWS > IAM > OpenID Connect > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > OpenID Connect > CMDB

Record and synchronize details for the AWS IAM openid connect into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > OpenID Connect > Configured

Maintain AWS > IAM > OpenID Connect configuration.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n

AWS > IAM > OpenID Connect > Discovery

Discover all AWS IAM openid connect resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > OpenID Connect > Tags

Take an action when an AWS IAM openid connect tags is not updated based on the AWS > IAM > OpenID Connect > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > IAM > OpenID Connect > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

AWS > IAM > OpenID Connect > Usage

The Usage control determines whether the number of AWS IAM openid connect resources exceeds the configured usage limit for this account.\n\nYou can configure the behavior of this control with the AWS > IAM > OpenID Connect > Usage policy, and set the limit with the AWS > IAM > OpenID Connect > Usage > Limit policy.\n

AWS > IAM > Policy > Active

Take an action when an AWS IAM policy is not active based on the\nAWS > IAM > Policy > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Policy > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > Policy > Approved

Take an action when an AWS IAM policy is not approved based on AWS > IAM > Policy > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > Policy > CMDB

Record and synchronize details for the AWS IAM policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > Policy > Configured

Maintain AWS > IAM > Policy configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Policy > Discovery

Discover all AWS IAM policy resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > Policy > Statements

AWS > IAM > Policy > Statements > Approved

Configure IAM policy statements checking. This control defines whether IAM policy statements\nare approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then evaluated.\n

AWS > IAM > Role > Active

Take an action when an AWS IAM role is not active based on the\nAWS > IAM > Role > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Role > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > Role > Approved

Take an action when an AWS IAM role is not approved based on AWS > IAM > Role > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > Role > Boundary

Configure which boundary policy to apply to the IAM role.\nThis must be the name of an existing AWS IAM Boundary policy.\n\nAWS Boundary Policies are used to enforce Turbot Guardrails for\nenabling/disabling API Services and Regions.\n\nIf set to Check or Enforce per AWS > Turbot > Permissions (the default),\nthe boundary will be enforced if Turbot > Permissions are enforced, checked\nif Turbot > Permissions are checked, and skippped if Turbot Permissions\nare none or skip\n

AWS > IAM > Role > CMDB

Record and synchronize details for the AWS IAM role into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > Role > Configured

Maintain AWS > IAM > Role configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Role > Discovery

Discover all AWS IAM role resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > Role > Inline Policy > Approved

Take an action when an AWS IAM role inline policy is not approved based on AWS > IAM > Role > Inline Policy > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > Role > Inline Policy > CMDB

Record and synchronize details for the AWS IAM role inline policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > Role > Inline Policy > Configured

Maintain AWS > IAM > Inline Policy configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Role > Inline Policy > Discovery

Discover AWS IAM role inline policies and add them to Turbot.\n\nThe Discovery\ncontrol is tasked with identifying instances for a particular resource.\nThe Discovery control will periodically search for new target resources and\nsave them to the Guardrails CMDB. Once discovered, resources are then\nresponsible for tracking changes to themselves through the\nCMDB control.\n

AWS > IAM > Role > Inline Policy > Statements

AWS > IAM > Role > Inline Policy > Statements > Approved

Configure IAM Role inline policy statements checking. This control defines whether IAM policy statements\nare approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then evaluated.\n

AWS > IAM > Role > Policy

AWS > IAM > Role > Policy > Trusted Access

Take an action when AWS IAM role policy is not trusted based on the\nAWS > IAM > Role > Policy > Trusted Access > * policies.\n\nThe Trusted Access control evaluates the role policy against the list of allowed\nmembers in each of the Trusted Access sub-policies (Trusted Access > Accounts,\nTrusted Access > Services etc.), this control raises an alarm and takes the\ndefined enforcement action.\n\nThe account that owns the role will always be trusted, even if its account ID is\nnot included in the Trusted Accounts policy.\n\nIf set to Enforce: Revoke untrusted access, access to non-trusted\nmembers will be removed.\n

AWS > IAM > Role > Policy Attachments

AWS > IAM > Role > Policy Attachments > Approved

Configure AWS IAM role policies binding Approved checking. This policy\ndefines whether to verify the IAM role attached policies are approved\n(per Approved > Compiled Rules), as well as the subsequent action to\ntake on unapproved items.\nIf set to "Enforce: Delete unapproved", any unapproved attached policy\nwill be removed.\n

AWS > IAM > Role > Policy Attachments > Required

Determines whether AWS > IAM > Role Required policies are attached to the IAM role, as well as take the subsequent action to add the required policies. If set to "Enforce:Required > Items", required policies will be added to IAM Role.

AWS > IAM > Role > Role Policy Attachments > Active

Determines whether the AWS IAM Rolepolicyattachment is current active.

AWS > IAM > Role > Role Policy Attachments > CMDB

Record and synchronize details for the AWS IAM Role-policy attachment into the CMDB.

AWS > IAM > Role > Role Policy Attachments > Configured

Maintain AWS > IAM > Role Policy Attachments configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Role > Role Policy Attachments > Discovery

Discover AWS IAM role policy attachments for record in the CMDB.

AWS > IAM > Role > Tags

Take an action when an AWS IAM role tags is not updated based on the AWS > IAM > Role > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > IAM > Role > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

AWS > IAM > Role > Trust Relationship Statements

AWS > IAM > Role > Trust Relationship Statements > Approved

Configure Role trust relationship policy statements checking. This control defines whether role trust policy statements\nare approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then evaluated.\n\nIf set to Enforce: Delete unapproved, any unapproved principal will be\nrevoked from the role trust policy.\n

AWS > IAM > Role > Usage

The Usage control determines whether the number of AWS IAM role resources exceeds the configured usage limit for this account.\n\nYou can configure the behavior of this control with the AWS > IAM > Role > Usage policy, and set the limit with the AWS > IAM > Role > Usage > Limit policy.\n

AWS > IAM > Root > CMDB

Record and synchronize details for the AWS IAM Root User into the CMDB.

AWS > IAM > Root > Configured

Maintain AWS > IAM > Root configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > Root > Discovery

Discover AWS IAM root user for record in the CMDB.

AWS > IAM > Server Certificate > Active

Take an action when an AWS IAM server certificate is not active based on the\nAWS > IAM > Server Certificate > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Server Certificate > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > Server Certificate > Approved

Take an action when an AWS IAM server certificate is not approved based on AWS > IAM > Server Certificate > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > Server Certificate > CMDB

Record and synchronize details for the AWS IAM server certificate into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nThis control will automatically re-run every 24 hours because AWS does not currently support real-time events for this resource type.\n

AWS > IAM > Server Certificate > Discovery

Discover all AWS IAM server certificate resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > Server Certificate > Tags

Take an action when an AWS IAM server certificate tags is not updated based on the AWS > IAM > Server Certificate > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > IAM > Server Certificate > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

AWS > IAM > Server Certificate > Usage

The Usage control determines whether the number of AWS IAM server certificate resources exceeds the configured usage limit for this account.\n\nYou can configure the behavior of this control with the AWS > IAM > Server Certificate > Usage policy, and set the limit with the AWS > IAM > Server Certificate > Usage > Limit policy.\n

AWS > IAM > Stack

Configure a custom stack on AWS, per the custom Stack > Source.\n\nA Guardrails Stack is a set of resources configured by Turbot, as specified\nvia Terraform source. Stacks are responsible for the creation and deletion\nof multiple resources. Once created, stack resources are responsible for\nconfiguring themselves from the stack source via their Configured control.\n

AWS > IAM > User > Active

Take an action when an AWS IAM user is not active based on the\nAWS > IAM > User > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > User > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

AWS > IAM > User > Approved

Take an action when an AWS IAM user is not approved based on AWS > IAM > User > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > User > Boundary

Configure which boundary policy to apply to the IAM user.\nThis must be the name of an existing AWS IAM Boundary policy.\n\nAWS Boundary Policies are used to enforce Turbot Guardrails for\nenabling/disabling API Services and Regions.\n\nIf set to Check or Enforce per AWS > Turbot > Permissions (the default),\nthe boundary will be enforced if Turbot > Permissions are enforced, checked\nif Turbot > Permissions are checked, and skippped if Guardrails Permissions\nare none or skip\n

AWS > IAM > User > CMDB

Record and synchronize details for the AWS IAM user into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > User > Configured

Maintain AWS > IAM > User configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > User > Discovery

Discover all AWS IAM user resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n

AWS > IAM > User > Group Memberships > CMDB

Record and synchronize details for the AWS IAM user group membership into the CMDB.

AWS > IAM > User > Group Memberships > Configured

Maintain AWS > IAM > Group Memberships configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > User > Group Memberships > Discovery

Discover AWS IAM user group memberships for record in the CMDB.

AWS > IAM > User > Inline Policy > Approved

Take an action when an AWS IAM user inline policy is not approved based on AWS > IAM > User > Inline Policy > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

AWS > IAM > User > Inline Policy > CMDB

Record and synchronize details for the AWS IAM user inline policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

AWS > IAM > User > Inline Policy > Discovery

Discover AWS IAM user inline policies and add them to Turbot.\n\nThe Discovery\ncontrol is tasked with identifying instances for a particular resource.\nThe Discovery control will periodically search for new target resources and\nsave them to the Guardrails CMDB. Once discovered, resources are then\nresponsible for tracking changes to themselves through the\nCMDB control.\n

AWS > IAM > User > Inline Policy > Statements

AWS > IAM > User > Inline Policy > Statements > Approved

Configure IAM policy statements checking. This control defines whether IAM policy statements\nare approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then evaluated.\n

AWS > IAM > User > Login Profile

Configure whether to remove Login Profile for a User.

AWS > IAM > User > Policy Attachments

AWS > IAM > User > Policy Attachments > Approved

Configure AWS IAM user policies binding Approved checking. This policy\ndefines whether to verify the IAM user attached policies are approved\n(per Approved > Compiled Rules), as well as the subsequent action to\ntake on unapproved items.\nIf set to "Enforce: Delete unapproved", any unapproved attached policy\nwill be removed.\n

AWS > IAM > User > Policy Attachments > Required

Determines whether the AWS IAM user can exist based on the settings for the AWS > IAM > Required Policies in Turbot.

AWS > IAM > User > Tags

Take an action when an AWS IAM user tags is not updated based on the AWS > IAM > User > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > IAM > User > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

AWS > IAM > User > Turbot Access Key

Guardrails access key root.

AWS > IAM > User > Turbot Access Key > Rotation

Create or rotate the Guardrails managed access key for the user.\n

AWS > IAM > User > Usage

The Usage control determines whether the number of AWS IAM user resources exceeds the configured usage limit for this account.\n\nYou can configure the behavior of this control with the AWS > IAM > User > Usage policy, and set the limit with the AWS > IAM > User > Usage > Limit policy.\n

AWS > IAM > User > User Policy Attachments > Active

Determines whether the AWS IAM Userpolicyattachment is current active.

AWS > IAM > User > User Policy Attachments > CMDB

Record and synchronize details for the AWS IAM user policy attachment into the CMDB.

AWS > IAM > User > User Policy Attachments > Configured

Maintain AWS > IAM > User Policy Attachments configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

AWS > IAM > User > User Policy Attachments > Discovery

Discover AWS IAM user policy attachments for record in the CMDB.

AWS > Turbot > IAM

Maintain configuration of IAM resources.