Policy types for @turbot/aws-iam

AWS > Account > Permissions

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissions
Targets

AWS > Account > Permissions > Lockdown

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdown
Targets

AWS > Account > Permissions > Lockdown > Budget

Configure lockdown policies to restrict APIs based on the\nbudget state (when the current spend exceeds a defined threshold).\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdownBudget
Valid Value
[
"Skip",
"Restrict APIs per `Lockdown > Budget > Restricted APIs`"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Restrict APIs per `Lockdown > Budget > Restricted APIs`"
],
"default": "Skip"
}

AWS > Account > Permissions > Lockdown > Budget > Restricted APIs

A yaml object that contains a list of APIs that should\nbe restricted when the budget reaches a specific state.\n\nFor example, to restrict users from running and starting\nnew ec2 instances, starting RDS databases, or creating\nRedshift clusters when the budget state is Critical or\nhigher, enter:\n\n\nCritical:\n - ec2:RunInstance\n - ec2:StartInstance\n - rds:StartDB*\n - redshift:createcluster\n\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdownBudgetRestrictedApis

AWS > IAM > API Enabled

Configure whether the AWS S3 API is enabled.\n\nNote: Disabling the service disables the API for ALL users\nand roles, and Guardrails will have no access to the API.\n

URI
tmod:@turbot/aws-iam#/policy/types/iamApiEnabled
Parent
Valid Value
[
"Enabled",
"Disabled",
"Enabled if AWS > IAM > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled",
"Enabled if AWS > IAM > Enabled"
],
"default": "Enabled"
}

AWS > IAM > Access Analyzer > Active

Determine the action to take when an AWS IAM access analyzer, based on the AWS > IAM > Access Analyzer > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > IAM > Access Analyzer > Active > Age

The age after which the AWS IAM access analyzer\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > IAM > Access Analyzer > Active > Last Modified

The number of days since the AWS IAM access analyzer\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > IAM > Access Analyzer > Approved

Determine the action to take when an AWS IAM access analyzer is not approved based on AWS > IAM > Access Analyzer > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > IAM > Access Analyzer > Approved > Custom

Determine whether the AWS IAM access analyzer is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > IAM > Access Analyzer > Approved > Regions

A list of AWS regions in which AWS IAM access analyzers are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/accessAnalyzerRegions\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > IAM > Access Analyzer > Approved > Usage

Determine whether the AWS IAM access analyzer is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > Access Analyzer > CMDB

Configure whether to record and synchronize details for the AWS IAM access analyzer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > IAM > Access Analyzer > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Access Analyzer > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Access Analyzer > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > IAM > Access Analyzer > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > IAM > Access Analyzer > Regions

A list of AWS regions in which AWS IAM access analyzers are supported for use.\n\nAny access analyzers in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerRegions
Schema
{
"allOf": [
{
"$ref": "aws#/definitions/regionNameMatcherList"
},
{
"default": [
"af-south-1",
"ap-east-1",
"ap-northeast-1",
"ap-northeast-2",
"ap-northeast-3",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"eu-central-1",
"eu-north-1",
"eu-south-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"me-south-1",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-gov-east-1",
"us-gov-west-1",
"us-west-1",
"us-west-2"
]
}
]
}

AWS > IAM > Access Analyzer > Tags

Determine the action to take when an AWS IAM access analyzer tags are not updated based on the AWS > IAM > Access Analyzer > Tags > * policies.\n\nThe control ensure AWS IAM access analyzer tags include tags defined in AWS > IAM > Access Analyzer > Tags > Template.\n\nTags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > IAM > Access Analyzer > Tags > Template

The template is used to generate the keys and values for AWS IAM access analyzer.\n\nTags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > IAM > Access Key > Active

Determine the action to take when an AWS IAM access key, based on the AWS > IAM > Access Key > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning",
"Enforce: Deactivate inactive with 1 day warning",
"Enforce: Deactivate inactive with 3 days warning",
"Enforce: Deactivate inactive with 7 days warning",
"Enforce: Deactivate inactive with 14 days warning",
"Enforce: Deactivate inactive with 30 days warning",
"Enforce: Deactivate inactive with 60 days warning",
"Enforce: Deactivate inactive with 90 days warning",
"Enforce: Deactivate inactive with 180 days warning",
"Enforce: Deactivate inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning",
"Enforce: Deactivate inactive with 1 day warning",
"Enforce: Deactivate inactive with 3 days warning",
"Enforce: Deactivate inactive with 7 days warning",
"Enforce: Deactivate inactive with 14 days warning",
"Enforce: Deactivate inactive with 30 days warning",
"Enforce: Deactivate inactive with 60 days warning",
"Enforce: Deactivate inactive with 90 days warning",
"Enforce: Deactivate inactive with 180 days warning",
"Enforce: Deactivate inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > IAM > Access Key > Active > Age

The age after which the AWS IAM access key\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > IAM > Access Key > Active > Last Modified

The number of days since the AWS IAM access key\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > IAM > Access Key > Active > Recently Used

The number of days since the AWS IAM access key was last used before it is considered inactive.\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveRecentlyUsed
Valid Value
[
"Skip",
"Active if recently used <= 1 day",
"Active if recently used <= 3 days",
"Active if recently used <= 7 days",
"Active if recently used <= 14 days",
"Active if recently used <= 30 days",
"Active if recently used <= 60 days",
"Active if recently used <= 90 days",
"Active if recently used <= 180 days",
"Active if recently used <= 365 days",
"Force active if recently used <= 1 day",
"Force active if recently used <= 3 days",
"Force active if recently used <= 7 days",
"Force active if recently used <= 14 days",
"Force active if recently used <= 30 days",
"Force active if recently used <= 60 days",
"Force active if recently used <= 90 days",
"Force active if recently used <= 180 days",
"Force active if recently used <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if recently used <= 1 day",
"Active if recently used <= 3 days",
"Active if recently used <= 7 days",
"Active if recently used <= 14 days",
"Active if recently used <= 30 days",
"Active if recently used <= 60 days",
"Active if recently used <= 90 days",
"Active if recently used <= 180 days",
"Active if recently used <= 365 days",
"Force active if recently used <= 1 day",
"Force active if recently used <= 3 days",
"Force active if recently used <= 7 days",
"Force active if recently used <= 14 days",
"Force active if recently used <= 30 days",
"Force active if recently used <= 60 days",
"Force active if recently used <= 90 days",
"Force active if recently used <= 180 days",
"Force active if recently used <= 365 days"
],
"example": [
"Active if recently used <= 90 days"
],
"default": "Skip"
}

AWS > IAM > Access Key > Active > Status

The policy allows you to\ncheck which status determines if the AWS IAM access key is active.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n\nThe policy values for AWS IAM access key are deprecated and replaced by new values.\nThe deprecated values will be removed in next major version.\n\n| Deprecated Values | Current Values |\n|-------------------------------------|----------------------------------------|\n| Active if status is active | Active if $.Status is active |\n| Force active if status is active | Force active if $.Status is active |\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveStatus
Valid Value
[
"Skip",
"Active if status is active",
"Force active if status is active",
"Active if $.Status is active",
"Force active if $.Status is active"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if status is active",
"Force active if status is active",
"Active if $.Status is active",
"Force active if $.Status is active"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > IAM > Access Key > CMDB

Configure whether to record and synchronize details for the AWS IAM access key into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Access Key > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Access Key > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > IAM > Access Key > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > IAM > Access Key > Usage

Configure the number of AWS IAM access keys that can be used for this user and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > Access Key > Usage policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > IAM > Access Key > Usage > Limit

Maximum number of items that can be created for this user.

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 2
}

AWS > IAM > Account Password Policy > CMDB

Configure whether to record and synchronize details for the AWS IAM account password policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Account Password Policy > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Account Password Policy > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > IAM > Account Password Policy > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > IAM > Account Password Policy > Settings

Check if the IAM account password policy is in sync with the account password settings policies.

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettings
Category
Valid Value
[
"Skip",
"Check: Configured",
"Enforce: Configured"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Configured",
"Enforce: Configured"
],
"example": [
"Check: Configured"
],
"default": "Skip"
}

AWS > IAM > Account Password Policy > Settings > Allow Users to Change

You can permit all IAM users in your account to use the IAM console to change their own passwords, as described in Permitting IAM users to change their own passwords.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsAllowUsersToChange
Category
Valid Value
[
"Enabled",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled"
],
"example": "Enabled",
"default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Hard Expiry

You can prevent IAM users from choosing a new password after their current password has expired. For example, a password policy can specify a password expiration period. If an IAM user fails to choose a new password before the expiration period ends, the IAM user cannot set a new password. In that case, the IAM user must request a password reset from an account administrator in order to regain access to the AWS Management Console. You can also leave this check box cleared. If an IAM user allows his or her password to expire, the user in this scenario is required to set a new password before accessing the AWS Management Console.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsHardExpiry
Category
Valid Value
[
"Enabled",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled"
],
"example": "Enabled",
"default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Max Age

You can set IAM user passwords to be valid for only the specified number of days. You specify the number of days that passwords remain valid after they are set. For example, when you enable password expiration and set the password expiration period to 90 days, an IAM user can use a password for up to 90 days. After 90 days, the password expires and the IAM user must set a new password before accessing the AWS Management Console. You can choose a password expiration period between 1 and 1095 days, inclusive.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMaxAge
Category
Schema
{
"type": "integer",
"minimum": 1,
"maximum": 1095,
"example": 90,
"default": 90
}

AWS > IAM > Account Password Policy > Settings > Minimum Length

You can specify the minimum number of characters allowed in an IAM user password. You can type any number from 6 to 128.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMinimumLength
Category
Schema
{
"type": "integer",
"minimum": 6,
"maximum": 128,
"example": 14,
"default": 14
}

AWS > IAM > Account Password Policy > Settings > Require Lowercase Characters

You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireLowercaseCharacters
Category
Valid Value
[
"Enabled",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled"
],
"example": "Enabled",
"default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Require Numbers

You can require that IAM user passwords contain at least one numeric character (0 to 9).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireNumbers
Category
Valid Value
[
"Enabled",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled"
],
"example": "Enabled",
"default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Require Symbols

You can require that IAM user passwords contain at least one of the following nonalphanumeric characters:\n! @ # $ % ^ &amp; * ( ) _ + - = [ ] { } | &#39;\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireSymbols
Category
Valid Value
[
"Enabled",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled"
],
"example": "Enabled",
"default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Require Uppercase Characters

You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireUppercaseCharacters
Category
Valid Value
[
"Enabled",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled"
],
"example": "Enabled",
"default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Reuse Prevention

You can prevent IAM users from reusing a specified number of previous passwords. You can set the number of previous passwords from 1 to 24, inclusive.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsReusePrevention
Category
Schema
{
"type": "integer",
"minimum": 1,
"maximum": 24,
"example": 5,
"default": 5
}

AWS > IAM > Account Summary > CMDB

Configure whether to record and synchronize details for the AWS IAM account summary into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/accountSummaryCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Credential Report > CMDB

Configure whether to record and synchronize details for the AWS IAM credential report into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/credentialReportCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Enabled

Enabled IAM.

URI
tmod:@turbot/aws-iam#/policy/types/iamEnabled
Parent
Valid Value
[
"Enabled",
"Enabled: Metadata Only",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Enabled: Metadata Only",
"Disabled"
],
"example": [
"Enabled"
],
"default": "Disabled"
}

AWS > IAM > Group > Active

Determine the action to take when an AWS IAM group, based on the AWS > IAM > Group > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > IAM > Group > Active > Age

The age after which the AWS IAM group\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > IAM > Group > Active > Budget

The impact of the budget state on the active control. This policy allows you to force\ngroups to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > IAM > Group > Active > Last Modified

The number of days since the AWS IAM group\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > IAM > Group > Approved

Determine the action to take when an AWS IAM group is not approved based on AWS > IAM > Group > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > IAM > Group > Approved > Budget

The policy allows you to set groups to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not matched by the approved list, it will be subject to the action specified in the AWS > IAM > Group > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > IAM > Group > Approved > Custom

Determine whether the AWS IAM group is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > IAM > Group > Approved > Turbot

Determine whether IAM Policies that are defined and configured by Guardrails (for example, from the Permissions stack or the Service Roles stack) will always be approved.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedTurbot
Valid Value
[
"Skip",
"Force Approved for Turbot Group"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force Approved for Turbot Group"
],
"default": "Force Approved for Turbot Group"
}

AWS > IAM > Group > Approved > Usage

Determine whether the AWS IAM group is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > Group > CMDB

Configure whether to record and synchronize details for the AWS IAM group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/groupCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Group > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/groupConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Group > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > IAM > Group > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/groupConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > IAM > Group > Group Policy Attachments > Active

Check if the AWS IAM Grouppolicyattachment is active based on AWS > IAM > Grouppolicyattachment > Active > * policies.

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > IAM > Group > Group Policy Attachments > Active > Last Modified

Check if AWS groupPolicyAttachment is active based on when it was last modified.

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > IAM > Group > Group Policy Attachments > CMDB

Configure whether to record and synchronize details for the AWS IAM group policy attachments into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Group > Group Policy Attachments > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > IAM > Group > Group Policy Attachments > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > IAM > Group > Inline Policy > Approved

Determine the action to take when an AWS IAM group inline policy is not approved based on AWS > IAM > Group > Inline Policy > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > IAM > Group > Inline Policy > Approved > Custom

Determine whether the AWS IAM group inline policy is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > IAM > Group > Inline Policy > Approved > Usage

Determine whether the AWS IAM group inline policy is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > Group > Inline Policy > CMDB

Configure whether to record and synchronize details for the AWS IAM group inline policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Group > Inline Policy > Statements

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatements
Category
Targets

AWS > IAM > Group > Inline Policy > Statements > Approved

Configure IAM Policy Statements checking. This policy defines whether to verify the\npolicy statements are approved, as well as the subsequent action to take on unapproved\nstatements.\n\nRules for all Approved policies will be compiled in Approved > Compiled Rules\nand then evaluated. If set to "Enforce: Delete unapproved", any unapproved statements\nwill be removed from the policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete Unapproved"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete Unapproved"
],
"default": "Skip"
}

AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access

If set to "Disabled", IAM Policy statements that allow any action ('') on any resource ('') will be unapproved.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedAdminAccess
Valid Value
[
"Enabled: Allow Administrator Access ('*:*') policies",
"Disabled: Disallow Administrator Access ('*:*') policies"
]
Schema
{
"type": "string",
"enum": [
"Enabled: Allow Administrator Access ('*:*') policies",
"Disabled: Disallow Administrator Access ('*:*') policies"
],
"default": "Enabled: Allow Administrator Access ('*:*') policies"
}

AWS > IAM > Group > Inline Policy > Statements > Approved > Compiled Rules

A read-only Object Control List (OCL) to approved or reject policy statements for an IAM policy. This policy is generated by Guardrails based on the "Approved > *" policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedCompiledRules
Schema
{
"type": "string"
}

AWS > IAM > Group > Inline Policy > Statements > Approved > Rules

An Object Control List (OCL) with a list of filter rules to approve or reject IAM policy statements. Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.\nThis is the last statement, so all unmatched items will be (approved/rejected) by this statement.\n\nNote: Removing APPROVE * will reject all the unmatched rules.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedRules
Schema
{
"type": "string",
"default": "# Approve(APPROVE *) / Reject(REJECT *) unmatched rules.\nAPPROVE *",
"x-schema-form": {
"type": "textarea"
}
}

AWS > IAM > Group > Policy Attachments

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttached
Targets

AWS > IAM > Group > Policy Attachments > Approved

Configure AWS IAM group policy attachments Approved checking. This policy\ndefines whether to verify the IAM group attached policies are approved\n(per Approved > Compiled Rules), as well as the subsequent action to\ntake on unapproved items.\nIf set to "Enforce: Delete unapproved", any unapproved attached policy\nwill be removed.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > IAM > Group > Policy Attachments > Approved > Compiled Rules

A read-only Object Control List (OCL) to add or\nremove IAM Policy from a IAM group.\nThis policy is generated by Turbot.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApprovedCompiledRules
Schema
{
"type": "string"
}

AWS > IAM > Group > Policy Attachments > Approved > Rules

An Object Control List (OCL) with a list of filter rules\nto approve or reject policies.\nNote that the Approved control does not operate directly from this policy,\nbut from the Approved > Compiled Rules. The rules are processed in order,\nand any built-in Guardrails rules will appear first in the list of compiled rules.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApprovedRules
Schema
{
"type": "string",
"default": "# Approve rules\nAPPROVE *",
"x-schema-form": {
"type": "textarea"
}
}

AWS > IAM > Group > Policy Attachments > Required

Configure whether required policies should be attached to a group.\nIf set to Enforce, policies in Required > Items will be attached to the group.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequired
Valid Value
[
"Skip",
"Check: Required > Items",
"Enforce: Required > Items"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Required > Items",
"Enforce: Required > Items"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > IAM > Group > Policy Attachments > Required > Compiled Items

A list of IAM policies that must be attached to a group.\n\nThis is a read-only policy that is generated by Turbot\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequiredCompiledItems
Schema
{
"type": "array"
}

AWS > IAM > Group > Policy Attachments > Required > Items

A list of IAM policies that must be attached to a group.

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequiredItems
Schema
{
"type": "array",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 128,
"pattern": "^[A-Za-z0-9_+=,.@-]+$"
},
"default": []
}

AWS > IAM > Group > Usage

Configure the number of AWS IAM groups that can be used for this account and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > Group > Usage policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > IAM > Group > Usage > Limit

Maximum number of items that can be created for this account.

URI
tmod:@turbot/aws-iam#/policy/types/groupUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 300
}

AWS > IAM > Instance Profile > CMDB

Configure whether to record and synchronize details for the AWS IAM instance profile into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > Instance Profile > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Instance Profile > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > IAM > Instance Profile > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > IAM > Login User Names

AWS IAM user login names

URI
tmod:@turbot/aws-iam#/policy/types/loginUserNames
Category
Parent
Default Template Input
"{\n profile{\n profileId\n }\n}\n"
Default Template
"{% if $.profile.profileId %}- &#39;{{ $.profile.profileId }}&#39;{% else %} [] {% endif %}"
Schema
{
"type": "array"
}

AWS > IAM > MFA Virtual > Active

Check if the AWS IAM Mfavirtual is active based on AWS > IAM > Mfavirtual > Active > * policies.

URI
tmod:@turbot/aws-iam#/policy/types/mfaVirtualActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > IAM > MFA Virtual > Active > Last Modified

Check if AWS mfaVirtual is active based on when it was last modified.

URI
tmod:@turbot/aws-iam#/policy/types/mfaVirtualActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > IAM > MFA Virtual > CMDB

Configure whether to record and synchronize details for the AWS IAM Multi Factor Authentication(MFA) Virtual into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/mfaVirtualCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > OpenID Connect > Active

Determine the action to take when an AWS IAM openid connect, based on the AWS > IAM > OpenID Connect > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > IAM > OpenID Connect > Active > Age

The age after which the AWS IAM openid connect\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > IAM > OpenID Connect > Active > Last Modified

The number of days since the AWS IAM openid connect\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > IAM > OpenID Connect > Approved

Determine the action to take when an AWS IAM openid connect is not approved based on AWS > IAM > OpenID Connect > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > IAM > OpenID Connect > Approved > Custom

Determine whether the AWS IAM openid connect is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > IAM > OpenID Connect > Approved > Usage

Determine whether the AWS IAM openid connect is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > IAM > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > OpenID Connect > CMDB

Configure whether to record and synchronize details for the AWS IAM openid connect into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > IAM > OpenID Connect > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > IAM > OpenID Connect > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > IAM > OpenID Connect > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > IAM > OpenID Connect > Tags

Determine the action to take when an AWS IAM openid connect tags are not updated based on the AWS > IAM > OpenID Connect > Tags > * policies.\n\nThe control ensure AWS IAM openid connect tags include tags defined in AWS > IAM > OpenID Connect > Tags > Template.\n\nTags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > IAM > OpenID Connect > Tags > Template

The template is used to generate the keys and values for AWS IAM openid connect.\n\nTags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > IAM > OpenID Connect > Usage

Configure the number of AWS IAM openid connects that can be used for this account and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > OpenID Connect > Usage policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > IAM > OpenID Connect > Usage > Limit

Maximum number of items that can be created for this account.

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 100
}

AWS > IAM > Permissions

Configure whether permissions policies are in effect for AWS IAM. This setting does\nnot affect account level permissions (AWS/Admin, AWS/Owner, etc).\n\nNote: The behavior of this policy depends on the value of AWS > Permissions.\n

URI
tmod:@turbot/aws-iam#/policy/types/iamPermissions
Parent
Valid Value
[
"Enabled",
"Disabled",
"Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled",
"Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"
],
"example": [
"Enabled"
],
"default": "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"
}

AWS > IAM > Permissions > Levels

Define the permissions levels that can be used to grant access to an AWS account.\nPermissions levels defined will appear in the UI to assign access to Guardrails users.\nThis policy provides a default for Permissions > Levels in each service,\nhowever you can explicitly override the