Control types for @turbot/aws-iam

• AWS > IAM > Access Analyzer > Active
• AWS > IAM > Access Analyzer > Approved
• AWS > IAM > Access Analyzer > CMDB
• AWS > IAM > Access Analyzer > Configured
• AWS > IAM > Access Analyzer > Discovery
• AWS > IAM > Access Analyzer > Tags
• AWS > IAM > Access Key > Active
• AWS > IAM > Access Key > CMDB
• AWS > IAM > Access Key > Configured
• AWS > IAM > Access Key > Discovery
• AWS > IAM > Access Key > Usage
• AWS > IAM > Account Password Policy > CMDB
• AWS > IAM > Account Password Policy > Configured
• AWS > IAM > Account Password Policy > Discovery
• AWS > IAM > Account Password Policy > Settings
• AWS > IAM > Account Summary > CMDB
• AWS > IAM > Account Summary > Discovery
• AWS > IAM > Credential Report > CMDB
• AWS > IAM > Credential Report > Discovery
• AWS > IAM > Group > Active
• AWS > IAM > Group > Approved
• AWS > IAM > Group > CMDB
• AWS > IAM > Group > Configured
• AWS > IAM > Group > Discovery
• AWS > IAM > Group > Group Policy Attachments > Active
• AWS > IAM > Group > Group Policy Attachments > CMDB
• AWS > IAM > Group > Group Policy Attachments > Configured
• AWS > IAM > Group > Group Policy Attachments > Discovery
• AWS > IAM > Group > Inline Policy > Approved
• AWS > IAM > Group > Inline Policy > CMDB
• AWS > IAM > Group > Inline Policy > Discovery
• AWS > IAM > Group > Inline Policy > Statements
• AWS > IAM > Group > Inline Policy > Statements > Approved
• AWS > IAM > Group > Policy Attachments
• AWS > IAM > Group > Policy Attachments > Approved
• AWS > IAM > Group > Policy Attachments > Required
• AWS > IAM > Group > Usage
• AWS > IAM > Instance Profile > CMDB
• AWS > IAM > Instance Profile > Configured
• AWS > IAM > Instance Profile > Discovery
• AWS > IAM > MFA Virtual > Active
• AWS > IAM > MFA Virtual > CMDB
• AWS > IAM > MFA Virtual > Discovery
• AWS > IAM > OpenID Connect > Active
• AWS > IAM > OpenID Connect > Approved
• AWS > IAM > OpenID Connect > CMDB
• AWS > IAM > OpenID Connect > Configured
• AWS > IAM > OpenID Connect > Discovery
• AWS > IAM > OpenID Connect > Tags
• AWS > IAM > OpenID Connect > Usage
• AWS > IAM > Policy > Active
• AWS > IAM > Policy > Approved
• AWS > IAM > Policy > CMDB
• AWS > IAM > Policy > Configured
• AWS > IAM > Policy > Discovery
• AWS > IAM > Policy > Statements
• AWS > IAM > Policy > Statements > Approved
• AWS > IAM > Role > Active
• AWS > IAM > Role > Approved
• AWS > IAM > Role > Boundary
• AWS > IAM > Role > CMDB
• AWS > IAM > Role > Configured
• AWS > IAM > Role > Discovery
• AWS > IAM > Role > Inline Policy > Approved
• AWS > IAM > Role > Inline Policy > CMDB
• AWS > IAM > Role > Inline Policy > Configured
• AWS > IAM > Role > Inline Policy > Discovery
• AWS > IAM > Role > Inline Policy > Statements
• AWS > IAM > Role > Inline Policy > Statements > Approved
• AWS > IAM > Role > Policy
• AWS > IAM > Role > Policy > Trusted Access
• AWS > IAM > Role > Policy Attachments
• AWS > IAM > Role > Policy Attachments > Approved
• AWS > IAM > Role > Policy Attachments > Required
• AWS > IAM > Role > Role Policy Attachments > Active
• AWS > IAM > Role > Role Policy Attachments > CMDB
• AWS > IAM > Role > Role Policy Attachments > Configured
• AWS > IAM > Role > Role Policy Attachments > Discovery
• AWS > IAM > Role > Tags
• AWS > IAM > Role > Trust Relationship Statements
• AWS > IAM > Role > Trust Relationship Statements > Approved
• AWS > IAM > Role > Usage
• AWS > IAM > Root > Approved
• AWS > IAM > Root > CMDB
• AWS > IAM > Root > Configured
• AWS > IAM > Root > Discovery
• AWS > IAM > Server Certificate > Active
• AWS > IAM > Server Certificate > Approved
• AWS > IAM > Server Certificate > CMDB
• AWS > IAM > Server Certificate > Discovery
• AWS > IAM > Server Certificate > Tags
• AWS > IAM > Server Certificate > Usage
• AWS > IAM > Stack
• AWS > IAM > User > Active
• AWS > IAM > User > Approved
• AWS > IAM > User > Boundary
• AWS > IAM > User > CMDB
• AWS > IAM > User > Configured
• AWS > IAM > User > Discovery
• AWS > IAM > User > Group Memberships > CMDB
• AWS > IAM > User > Group Memberships > Configured
• AWS > IAM > User > Group Memberships > Discovery
• AWS > IAM > User > Inline Policy > Approved
• AWS > IAM > User > Inline Policy > CMDB
• AWS > IAM > User > Inline Policy > Discovery
• AWS > IAM > User > Inline Policy > Statements
• AWS > IAM > User > Inline Policy > Statements > Approved
• AWS > IAM > User > Login Profile
• AWS > IAM > User > Policy Attachments
• AWS > IAM > User > Policy Attachments > Approved
• AWS > IAM > User > Policy Attachments > Required
• AWS > IAM > User > Tags
• AWS > IAM > User > Turbot Access Key
• AWS > IAM > User > Turbot Access Key > Rotation
• AWS > IAM > User > Usage
• AWS > IAM > User > User Policy Attachments > Active
• AWS > IAM > User > User Policy Attachments > CMDB
• AWS > IAM > User > User Policy Attachments > Configured
• AWS > IAM > User > User Policy Attachments > Discovery
• AWS > Turbot > IAM
• AWS > Turbot > IAM > Group
• AWS > Turbot > IAM > Group > Managed
• AWS > Turbot > IAM > Managed
• AWS > Turbot > IAM > Policy
• AWS > Turbot > IAM > Policy > Managed
• AWS > Turbot > IAM > Role
• AWS > Turbot > IAM > Role > Managed
• AWS > Turbot > IAM > User
• AWS > Turbot > IAM > User > Managed

AWS > IAM > Access Analyzer > Active

Take an action when an AWS IAM access analyzer is not active based on the
AWS > IAM > Access Analyzer > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Analyzer > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > Access Analyzer > Approved

Take an action when an AWS IAM access analyzer is not approved based on AWS > IAM > Access Analyzer > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > Access Analyzer > CMDB

Record and synchronize details for the AWS IAM access analyzer into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > IAM > Access Analyzer > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > IAM > Access Analyzer > Configured

Maintain AWS > IAM > Access Analyzer configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

AWS > IAM > Access Analyzer > Discovery

Discover all AWS IAM access analyzer resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > IAM > Access Analyzer > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > IAM > Access Analyzer > Tags

Take an action when an AWS IAM access analyzer tags is not updated based on the AWS > IAM > Access Analyzer > Tags > * policies.

If the resource is not updated with the tags defined in AWS > IAM > Access Analyzer > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > IAM > Access Key > Active

Take an action when an AWS IAM access key is not active based on the
AWS > IAM > Access Key > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Key > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > Access Key > CMDB

Record and synchronize details for the AWS IAM access key into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > Access Key > Configured

Maintain AWS > IAM > Access Key configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Access Key > Discovery

Discover all AWS IAM access key resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > Access Key > Usage

The Usage control determines whether the number of AWS IAM access key resources exceeds the configured usage limit for this user.

You can configure the behavior of this control with the AWS > IAM > Access Key > Usage policy, and set the limit with the AWS > IAM > Access Key > Usage > Limit policy.

AWS > IAM > Account Password Policy > CMDB

Record and synchronize details for the AWS IAM Account Password Policy into the CMDB.

AWS > IAM > Account Password Policy > Configured

Maintain AWS > IAM > Account Password Policy configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Account Password Policy > Discovery

Discover AWS IAM account password policies for record in the CMDB.

AWS > IAM > Account Password Policy > Settings

Configure the account password policy with the correct settings.

AWS > IAM > Account Summary > CMDB

Record and synchronize details for the AWS IAM account summary into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

This control will automatically re-run every 24 hours because AWS does not currently support real-time events for this resource type.

AWS > IAM > Account Summary > Discovery

Discover all AWS IAM account summary resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > Credential Report > CMDB

Record and synchronize details for the AWS IAM credential report into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

This control will automatically re-run every 6 hours to generate a credential report.

AWS > IAM > Credential Report > Discovery

Discover AWS IAM credential reports for record in the CMDB.

AWS > IAM > Group > Active

Take an action when an AWS IAM group is not active based on the
AWS > IAM > Group > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > Group > Approved

Take an action when an AWS IAM group is not approved based on AWS > IAM > Group > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > Group > CMDB

Record and synchronize details for the AWS IAM group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > Group > Configured

Maintain AWS > IAM > Group configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Group > Discovery

Discover all AWS IAM group resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > Group > Group Policy Attachments > Active

Determines whether the AWS IAM Grouppolicyattachment is current active.

AWS > IAM > Group > Group Policy Attachments > CMDB

Record and synchronize details for the AWS IAM group policy attachment into the CMDB.

AWS > IAM > Group > Group Policy Attachments > Configured

Maintain AWS > IAM > Group Policy Attachments configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Group > Group Policy Attachments > Discovery

Discover AWS IAM group policy attachments for record in the CMDB.

AWS > IAM > Group > Inline Policy > Approved

Take an action when an AWS IAM group inline policy is not approved based on AWS > IAM > Group > Inline Policy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > Group > Inline Policy > CMDB

Record and synchronize details for the AWS IAM group inline policy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > Group > Inline Policy > Discovery

Discover AWS IAM group inline policies and add them to Turbot.

The Discovery control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and save them to the Guardrails CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > Group > Inline Policy > Statements

AWS > IAM > Group > Inline Policy > Statements > Approved

Configure IAM policy statements checking. This control defines whether IAM group inline policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then evaluated.

AWS > IAM > Group > Policy Attachments

AWS > IAM > Group > Policy Attachments > Approved

Configure AWS IAM group policies binding Approved checking. This policy
defines whether to verify the IAM group attached policies are approved
(per Approved > Compiled Rules), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.

AWS > IAM > Group > Policy Attachments > Required

Determines whether AWS > IAM > Group Required policies are attached to the IAM group, as well as take the subsequent action to
add the required policies.
If set to "Enforce: Required > Items", required policies will be added to IAM Group.

AWS > IAM > Group > Usage

The Usage control determines whether the number of AWS IAM group resources exceeds the configured usage limit for this account.

You can configure the behavior of this control with the AWS > IAM > Group > Usage policy, and set the limit with the AWS > IAM > Group > Usage > Limit policy.

AWS > IAM > Instance Profile > CMDB

Record and synchronize details for the AWS IAM instance profile into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note that if CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

AWS > IAM > Instance Profile > Configured

Maintain AWS > IAM > Instance Profile configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Instance Profile > Discovery

Discover AWS IAM instance profiles and add them to Turbot.

The Discovery
control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and
save them to the Guardrails CMDB. Once discovered, resources are then
responsible for tracking changes to themselves through the
CMDB control.

AWS > IAM > MFA Virtual > Active

Determines whether the AWS IAM Mfavirtual is current active.

AWS > IAM > MFA Virtual > CMDB

Record and synchronize details for the AWS IAM mfa virtual into the CMDB.

AWS > IAM > MFA Virtual > Discovery

Discover AWS IAM Multi Factor Authentication(MFA) Virtuals for record in the CMDB.

AWS > IAM > OpenID Connect > Active

Take an action when an AWS IAM openid connect is not active based on the
AWS > IAM > OpenID Connect > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > OpenID Connect > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > OpenID Connect > Approved

Take an action when an AWS IAM openid connect is not approved based on AWS > IAM > OpenID Connect > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > OpenID Connect > CMDB

Record and synchronize details for the AWS IAM openid connect into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > OpenID Connect > Configured

Maintain AWS > IAM > OpenID Connect configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

AWS > IAM > OpenID Connect > Discovery

Discover all AWS IAM openid connect resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > OpenID Connect > Tags

Take an action when an AWS IAM openid connect tags is not updated based on the AWS > IAM > OpenID Connect > Tags > * policies.

If the resource is not updated with the tags defined in AWS > IAM > OpenID Connect > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > IAM > OpenID Connect > Usage

The Usage control determines whether the number of AWS IAM openid connect resources exceeds the configured usage limit for this account.

You can configure the behavior of this control with the AWS > IAM > OpenID Connect > Usage policy, and set the limit with the AWS > IAM > OpenID Connect > Usage > Limit policy.

AWS > IAM > Policy > Active

Take an action when an AWS IAM policy is not active based on the
AWS > IAM > Policy > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Policy > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > Policy > Approved

Take an action when an AWS IAM policy is not approved based on AWS > IAM > Policy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > Policy > CMDB

Record and synchronize details for the AWS IAM policy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > Policy > Configured

Maintain AWS > IAM > Policy configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Policy > Discovery

Discover all AWS IAM policy resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > Policy > Statements

AWS > IAM > Policy > Statements > Approved

Configure IAM policy statements checking. This control defines whether IAM policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then evaluated.

AWS > IAM > Role > Active

Take an action when an AWS IAM role is not active based on the
AWS > IAM > Role > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Role > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > Role > Approved

Take an action when an AWS IAM role is not approved based on AWS > IAM > Role > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > Role > Boundary

Configure which boundary policy to apply to the IAM role.
This must be the name of an existing AWS IAM Boundary policy.

AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.

If set to Check or Enforce per AWS > Turbot > Permissions (the default),
the boundary will be enforced if Turbot > Permissions are enforced, checked
if Turbot > Permissions are checked, and skippped if Turbot Permissions
are none or skip

AWS > IAM > Role > CMDB

Record and synchronize details for the AWS IAM role into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > Role > Configured

Maintain AWS > IAM > Role configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Role > Discovery

Discover all AWS IAM role resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > Role > Inline Policy > Approved

Take an action when an AWS IAM role inline policy is not approved based on AWS > IAM > Role > Inline Policy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > Role > Inline Policy > CMDB

Record and synchronize details for the AWS IAM role inline policy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > Role > Inline Policy > Configured

Maintain AWS > IAM > Inline Policy configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Role > Inline Policy > Discovery

Discover AWS IAM role inline policies and add them to Turbot.

The Discovery
control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and
save them to the Guardrails CMDB. Once discovered, resources are then
responsible for tracking changes to themselves through the
CMDB control.

AWS > IAM > Role > Inline Policy > Statements

AWS > IAM > Role > Inline Policy > Statements > Approved

Configure IAM Role inline policy statements checking. This control defines whether IAM policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then evaluated.

AWS > IAM > Role > Policy

AWS > IAM > Role > Policy > Trusted Access

Take an action when AWS IAM role policy is not trusted based on the
AWS > IAM > Role > Policy > Trusted Access > * policies.

The Trusted Access control evaluates the role policy against the list of allowed
members in each of the Trusted Access sub-policies (Trusted Access > Accounts,
Trusted Access > Services etc.), this control raises an alarm and takes the
defined enforcement action.

The account that owns the role will always be trusted, even if its account ID is
not included in the Trusted Accounts policy.

If set to Enforce: Revoke untrusted access, access to non-trusted
members will be removed.

AWS > IAM > Role > Policy Attachments

AWS > IAM > Role > Policy Attachments > Approved

Configure AWS IAM role policies binding Approved checking. This policy
defines whether to verify the IAM role attached policies are approved
(per Approved > Compiled Rules), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.

AWS > IAM > Role > Policy Attachments > Required

Determines whether AWS > IAM > Role Required policies are attached to the IAM role, as well as take the subsequent action to add the required policies. If set to "Enforce:Required > Items", required policies will be added to IAM Role.

AWS > IAM > Role > Role Policy Attachments > Active

Determines whether the AWS IAM Rolepolicyattachment is current active.

AWS > IAM > Role > Role Policy Attachments > CMDB

Record and synchronize details for the AWS IAM Role-policy attachment into the CMDB.

AWS > IAM > Role > Role Policy Attachments > Configured

Maintain AWS > IAM > Role Policy Attachments configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Role > Role Policy Attachments > Discovery

Discover AWS IAM role policy attachments for record in the CMDB.

AWS > IAM > Role > Tags

Take an action when an AWS IAM role tags is not updated based on the AWS > IAM > Role > Tags > * policies.

If the resource is not updated with the tags defined in AWS > IAM > Role > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > IAM > Role > Trust Relationship Statements

AWS > IAM > Role > Trust Relationship Statements > Approved

Configure Role trust relationship policy statements checking. This control defines whether role trust policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then evaluated.

If set to Enforce: Delete unapproved, any unapproved principal will be
revoked from the role trust policy.

AWS > IAM > Role > Usage

The Usage control determines whether the number of AWS IAM role resources exceeds the configured usage limit for this account.

You can configure the behavior of this control with the AWS > IAM > Role > Usage policy, and set the limit with the AWS > IAM > Role > Usage > Limit policy.

AWS > IAM > Root > Approved

Take an action when an AWS IAM root is not approved based on AWS > IAM > Root > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm.

See Approved for more information.

AWS > IAM > Root > CMDB

Record and synchronize details for the AWS IAM Root User into the CMDB.

AWS > IAM > Root > Configured

Maintain AWS > IAM > Root configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > Root > Discovery

Discover AWS IAM root user for record in the CMDB.

AWS > IAM > Server Certificate > Active

Take an action when an AWS IAM server certificate is not active based on the
AWS > IAM > Server Certificate > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Server Certificate > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > Server Certificate > Approved

Take an action when an AWS IAM server certificate is not approved based on AWS > IAM > Server Certificate > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > Server Certificate > CMDB

Record and synchronize details for the AWS IAM server certificate into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

This control will automatically re-run every 24 hours because AWS does not currently support real-time events for this resource type.

AWS > IAM > Server Certificate > Discovery

Discover all AWS IAM server certificate resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > Server Certificate > Tags

Take an action when an AWS IAM server certificate tags is not updated based on the AWS > IAM > Server Certificate > Tags > * policies.

If the resource is not updated with the tags defined in AWS > IAM > Server Certificate > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > IAM > Server Certificate > Usage

The Usage control determines whether the number of AWS IAM server certificate resources exceeds the configured usage limit for this account.

You can configure the behavior of this control with the AWS > IAM > Server Certificate > Usage policy, and set the limit with the AWS > IAM > Server Certificate > Usage > Limit policy.

AWS > IAM > Stack

Configure a custom stack on AWS, per the custom Stack > Source.

A Guardrails Stack is a set of resources configured by Turbot, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

AWS > IAM > User > Active

Take an action when an AWS IAM user is not active based on the
AWS > IAM > User > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > User > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > IAM > User > Approved

Take an action when an AWS IAM user is not approved based on AWS > IAM > User > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > User > Boundary

Configure which boundary policy to apply to the IAM user.
This must be the name of an existing AWS IAM Boundary policy.

AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.

If set to Check or Enforce per AWS > Turbot > Permissions (the default),
the boundary will be enforced if Turbot > Permissions are enforced, checked
if Turbot > Permissions are checked, and skippped if Guardrails Permissions
are none or skip

AWS > IAM > User > CMDB

Record and synchronize details for the AWS IAM user into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > User > Configured

Maintain AWS > IAM > User configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > User > Discovery

Discover all AWS IAM user resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

AWS > IAM > User > Group Memberships > CMDB

Record and synchronize details for the AWS IAM user group membership into the CMDB.

AWS > IAM > User > Group Memberships > Configured

Maintain AWS > IAM > Group Memberships configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > User > Group Memberships > Discovery

Discover AWS IAM user group memberships for record in the CMDB.

AWS > IAM > User > Inline Policy > Approved

Take an action when an AWS IAM user inline policy is not approved based on AWS > IAM > User > Inline Policy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > IAM > User > Inline Policy > CMDB

Record and synchronize details for the AWS IAM user inline policy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > IAM > User > Inline Policy > Discovery

Discover AWS IAM user inline policies and add them to Turbot.

The Discovery
control is tasked with identifying instances for a particular resource.
The Discovery control will periodically search for new target resources and
save them to the Guardrails CMDB. Once discovered, resources are then
responsible for tracking changes to themselves through the
CMDB control.

AWS > IAM > User > Inline Policy > Statements

AWS > IAM > User > Inline Policy > Statements > Approved

Configure IAM policy statements checking. This control defines whether IAM policy statements
are approved, as well as the subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then evaluated.

AWS > IAM > User > Login Profile

Configure whether to remove Login Profile for a User.

AWS > IAM > User > Policy Attachments

AWS > IAM > User > Policy Attachments > Approved

Configure AWS IAM user policies binding Approved checking. This policy
defines whether to verify the IAM user attached policies are approved
(per Approved > Compiled Rules), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.

AWS > IAM > User > Policy Attachments > Required

Determines whether the AWS IAM user can exist based on the settings for the AWS > IAM > Required Policies in Turbot.

AWS > IAM > User > Tags

Take an action when an AWS IAM user tags is not updated based on the AWS > IAM > User > Tags > * policies.

If the resource is not updated with the tags defined in AWS > IAM > User > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > IAM > User > Turbot Access Key

Guardrails access key root.

AWS > IAM > User > Turbot Access Key > Rotation

Create or rotate the Guardrails managed access key for the user.

AWS > IAM > User > Usage

The Usage control determines whether the number of AWS IAM user resources exceeds the configured usage limit for this account.

You can configure the behavior of this control with the AWS > IAM > User > Usage policy, and set the limit with the AWS > IAM > User > Usage > Limit policy.

AWS > IAM > User > User Policy Attachments > Active

Determines whether the AWS IAM Userpolicyattachment is current active.

AWS > IAM > User > User Policy Attachments > CMDB

Record and synchronize details for the AWS IAM user policy attachment into the CMDB.

AWS > IAM > User > User Policy Attachments > Configured

Maintain AWS > IAM > User Policy Attachments configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > IAM > User > User Policy Attachments > Discovery

Discover AWS IAM user policy attachments for record in the CMDB.

AWS > Turbot > IAM

Maintain configuration of IAM resources.

AWS > Turbot > IAM > Group

AWS > Turbot > IAM > Group > Managed

The control oversees the creation, updating, and deletion of Turbot-managed IAM groups. It also manages the association and disassociation of users to the group. An essential part of this control is its ability to handle policy attachments to group, ensuring that only authorized policies are associated, thereby maintaining strict access control and compliance.

AWS > Turbot > IAM > Managed

The control automates the creation of new IAM resources based on predefined IAM policies. Its primary function is to facilitate the initial setup of resources, without taking charge of subsequent updates or deletions.

AWS > Turbot > IAM > Policy

AWS > Turbot > IAM > Policy > Managed

The control is responsible for maintaining the lifecycle of Turbot-managed IAM policies, this control ensures that policies are always up-to-date and removes them when they are no longer required. This continuous monitoring and management help in maintaining the security posture and compliance of IAM policies across the organization.

AWS > Turbot > IAM > Role

AWS > Turbot > IAM > Role > Managed

The control ensures that Turbot-managed roles are accurately maintained, including updates and deletions as necessary. This control is key to managing role-based access controls, including the attachment of policies to roles and the enforcement of lockdown, deny, and boundary policy attachments.

AWS > Turbot > IAM > User

AWS > Turbot > IAM > User > Managed

The control focuses on the Turbot-managed user accounts, this control updates and deletes user accounts based on their assignment status. It also applies necessary lockdown, boundary, and deny policies to user accounts, further tightening security. Additionally, it controls group memberships by removing users from groups that are associated outside of Turbot, depending on the policy AWS > Turbot > Permissions > User > Group Membership Mode. This ensures that user access levels are consistently managed and aligned with the organization's access control policies.