Policy types for @turbot/aws-iam
- AWS > Account > Permissions
- AWS > Account > Permissions > Lockdown
- AWS > Account > Permissions > Lockdown > Budget
- AWS > Account > Permissions > Lockdown > Budget > Restricted APIs
- AWS > IAM > API Enabled
- AWS > IAM > Access Analyzer > Active
- AWS > IAM > Access Analyzer > Active > Age
- AWS > IAM > Access Analyzer > Active > Last Modified
- AWS > IAM > Access Analyzer > Approved
- AWS > IAM > Access Analyzer > Approved > Custom
- AWS > IAM > Access Analyzer > Approved > Regions
- AWS > IAM > Access Analyzer > Approved > Usage
- AWS > IAM > Access Analyzer > CMDB
- AWS > IAM > Access Analyzer > Configured
- AWS > IAM > Access Analyzer > Configured > Claim Precedence
- AWS > IAM > Access Analyzer > Configured > Source
- AWS > IAM > Access Analyzer > Regions
- AWS > IAM > Access Analyzer > Tags
- AWS > IAM > Access Analyzer > Tags > Template
- AWS > IAM > Access Key > Active
- AWS > IAM > Access Key > Active > Age
- AWS > IAM > Access Key > Active > Last Modified
- AWS > IAM > Access Key > Active > Recently Used
- AWS > IAM > Access Key > Active > Status
- AWS > IAM > Access Key > CMDB
- AWS > IAM > Access Key > Configured
- AWS > IAM > Access Key > Configured > Claim Precedence
- AWS > IAM > Access Key > Configured > Source
- AWS > IAM > Access Key > Usage
- AWS > IAM > Access Key > Usage > Limit
- AWS > IAM > Account Password Policy > CMDB
- AWS > IAM > Account Password Policy > Configured
- AWS > IAM > Account Password Policy > Configured > Claim Precedence
- AWS > IAM > Account Password Policy > Configured > Source
- AWS > IAM > Account Password Policy > Settings
- AWS > IAM > Account Password Policy > Settings > Allow Users to Change
- AWS > IAM > Account Password Policy > Settings > Hard Expiry
- AWS > IAM > Account Password Policy > Settings > Max Age
- AWS > IAM > Account Password Policy > Settings > Minimum Length
- AWS > IAM > Account Password Policy > Settings > Require Lowercase Characters
- AWS > IAM > Account Password Policy > Settings > Require Numbers
- AWS > IAM > Account Password Policy > Settings > Require Symbols
- AWS > IAM > Account Password Policy > Settings > Require Uppercase Characters
- AWS > IAM > Account Password Policy > Settings > Reuse Prevention
- AWS > IAM > Account Summary > CMDB
- AWS > IAM > Credential Report > CMDB
- AWS > IAM > Enabled
- AWS > IAM > Group > Active
- AWS > IAM > Group > Active > Age
- AWS > IAM > Group > Active > Budget
- AWS > IAM > Group > Active > Last Modified
- AWS > IAM > Group > Approved
- AWS > IAM > Group > Approved > Budget
- AWS > IAM > Group > Approved > Custom
- AWS > IAM > Group > Approved > Turbot
- AWS > IAM > Group > Approved > Usage
- AWS > IAM > Group > CMDB
- AWS > IAM > Group > Configured
- AWS > IAM > Group > Configured > Claim Precedence
- AWS > IAM > Group > Configured > Source
- AWS > IAM > Group > Group Policy Attachments > Active
- AWS > IAM > Group > Group Policy Attachments > Active > Last Modified
- AWS > IAM > Group > Group Policy Attachments > CMDB
- AWS > IAM > Group > Group Policy Attachments > Configured
- AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence
- AWS > IAM > Group > Group Policy Attachments > Configured > Source
- AWS > IAM > Group > Inline Policy > Approved
- AWS > IAM > Group > Inline Policy > Approved > Custom
- AWS > IAM > Group > Inline Policy > Approved > Usage
- AWS > IAM > Group > Inline Policy > CMDB
- AWS > IAM > Group > Inline Policy > Statements
- AWS > IAM > Group > Inline Policy > Statements > Approved
- AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access
- AWS > IAM > Group > Inline Policy > Statements > Approved > Compiled Rules
- AWS > IAM > Group > Inline Policy > Statements > Approved > Rules
- AWS > IAM > Group > Policy Attachments
- AWS > IAM > Group > Policy Attachments > Approved
- AWS > IAM > Group > Policy Attachments > Approved > Compiled Rules
- AWS > IAM > Group > Policy Attachments > Approved > Rules
- AWS > IAM > Group > Policy Attachments > Required
- AWS > IAM > Group > Policy Attachments > Required > Compiled Items
- AWS > IAM > Group > Policy Attachments > Required > Items
- AWS > IAM > Group > Usage
- AWS > IAM > Group > Usage > Limit
- AWS > IAM > Instance Profile > CMDB
- AWS > IAM > Instance Profile > Configured
- AWS > IAM > Instance Profile > Configured > Claim Precedence
- AWS > IAM > Instance Profile > Configured > Source
- AWS > IAM > Login User Names
- AWS > IAM > MFA Virtual > Active
- AWS > IAM > MFA Virtual > Active > Last Modified
- AWS > IAM > MFA Virtual > CMDB
- AWS > IAM > OpenID Connect > Active
- AWS > IAM > OpenID Connect > Active > Age
- AWS > IAM > OpenID Connect > Active > Last Modified
- AWS > IAM > OpenID Connect > Approved
- AWS > IAM > OpenID Connect > Approved > Custom
- AWS > IAM > OpenID Connect > Approved > Usage
- AWS > IAM > OpenID Connect > CMDB
- AWS > IAM > OpenID Connect > Configured
- AWS > IAM > OpenID Connect > Configured > Claim Precedence
- AWS > IAM > OpenID Connect > Configured > Source
- AWS > IAM > OpenID Connect > Tags
- AWS > IAM > OpenID Connect > Tags > Template
- AWS > IAM > OpenID Connect > Usage
- AWS > IAM > OpenID Connect > Usage > Limit
- AWS > IAM > Permissions
- AWS > IAM > Permissions > Levels
- AWS > IAM > Permissions > Levels > Modifiers
- AWS > IAM > Permissions > Levels > Service User Access Key Administration
- AWS > IAM > Permissions > Levels > Service User Administration
- AWS > IAM > Permissions > Levels > Service User Password Administration
- AWS > IAM > Permissions > Lockdown
- AWS > IAM > Permissions > Lockdown > API Boundary
- AWS > IAM > Policy > Active
- AWS > IAM > Policy > Active > Age
- AWS > IAM > Policy > Active > Last Modified
- AWS > IAM > Policy > Approved
- AWS > IAM > Policy > Approved > Custom
- AWS > IAM > Policy > Approved > Turbot
- AWS > IAM > Policy > Approved > Usage
- AWS > IAM > Policy > CMDB
- AWS > IAM > Policy > Configured
- AWS > IAM > Policy > Configured > Claim Precedence
- AWS > IAM > Policy > Configured > Source
- AWS > IAM > Policy > Statements
- AWS > IAM > Policy > Statements > Approved
- AWS > IAM > Policy > Statements > Approved > Administrator Access
- AWS > IAM > Policy > Statements > Approved > Compiled Rules
- AWS > IAM > Policy > Statements > Approved > Rules
- AWS > IAM > Policy > Statements > Approved > Turbot
- AWS > IAM > Role > Active
- AWS > IAM > Role > Active > Age
- AWS > IAM > Role > Active > Last Modified
- AWS > IAM > Role > Active > Quarantine Policy Name
- AWS > IAM > Role > Active > Recently Used
- AWS > IAM > Role > Approved
- AWS > IAM > Role > Approved > Custom
- AWS > IAM > Role > Approved > Quarantine Policy Name
- AWS > IAM > Role > Approved > Turbot
- AWS > IAM > Role > Approved > Usage
- AWS > IAM > Role > Boundary
- AWS > IAM > Role > Boundary > Policy
- AWS > IAM > Role > CMDB
- AWS > IAM > Role > Configured
- AWS > IAM > Role > Configured > Claim Precedence
- AWS > IAM > Role > Configured > Source
- AWS > IAM > Role > Inline Policy > Approved
- AWS > IAM > Role > Inline Policy > Approved > Custom
- AWS > IAM > Role > Inline Policy > Approved > Usage
- AWS > IAM > Role > Inline Policy > CMDB
- AWS > IAM > Role > Inline Policy > Configured
- AWS > IAM > Role > Inline Policy > Configured > Claim Precedence
- AWS > IAM > Role > Inline Policy > Configured > Source
- AWS > IAM > Role > Inline Policy > Statements
- AWS > IAM > Role > Inline Policy > Statements > Approved
- AWS > IAM > Role > Inline Policy > Statements > Approved > Administrator Access
- AWS > IAM > Role > Inline Policy > Statements > Approved > Compiled Rules
- AWS > IAM > Role > Inline Policy > Statements > Approved > Rules
- AWS > IAM > Role > Policy
- AWS > IAM > Role > Policy > Trusted Access
- AWS > IAM > Role > Policy > Trusted Access > Accounts
- AWS > IAM > Role > Policy > Trusted Access > Identity Providers
- AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions
- AWS > IAM > Role > Policy > Trusted Access > Services
- AWS > IAM > Role > Policy Attachments
- AWS > IAM > Role > Policy Attachments > Approved
- AWS > IAM > Role > Policy Attachments > Approved > Compiled Rules
- AWS > IAM > Role > Policy Attachments > Approved > Rules
- AWS > IAM > Role > Policy Attachments > Required
- AWS > IAM > Role > Policy Attachments > Required > Compiled Items
- AWS > IAM > Role > Policy Attachments > Required > Items
- AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown
- AWS > IAM > Role > Role Policy Attachments > Active
- AWS > IAM > Role > Role Policy Attachments > Active > Last Modified
- AWS > IAM > Role > Role Policy Attachments > CMDB
- AWS > IAM > Role > Role Policy Attachments > Configured
- AWS > IAM > Role > Role Policy Attachments > Configured > Claim Precedence
- AWS > IAM > Role > Role Policy Attachments > Configured > Source
- AWS > IAM > Role > Tags
- AWS > IAM > Role > Tags > Template
- AWS > IAM > Role > Trust Relationship Statements
- AWS > IAM > Role > Trust Relationship Statements > Approved
- AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules
- AWS > IAM > Role > Trust Relationship Statements > Approved > Rules
- AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts [Deprecated]
- AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers [Deprecated]
- AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services [Deprecated]
- AWS > IAM > Role > Usage
- AWS > IAM > Role > Usage > Limit
- AWS > IAM > Root > CMDB
- AWS > IAM > Root > Configured
- AWS > IAM > Root > Configured > Claim Precedence
- AWS > IAM > Root > Configured > Source
- AWS > IAM > Server Certificate > Active
- AWS > IAM > Server Certificate > Active > Age
- AWS > IAM > Server Certificate > Active > Last Modified
- AWS > IAM > Server Certificate > Approved
- AWS > IAM > Server Certificate > Approved > Custom
- AWS > IAM > Server Certificate > Approved > Usage
- AWS > IAM > Server Certificate > CMDB
- AWS > IAM > Server Certificate > Tags
- AWS > IAM > Server Certificate > Tags > Template
- AWS > IAM > Server Certificate > Usage
- AWS > IAM > Server Certificate > Usage > Limit
- AWS > IAM > Stack
- AWS > IAM > Stack > Secret Variables
- AWS > IAM > Stack > Source
- AWS > IAM > Stack > Terraform Version
- AWS > IAM > Stack > Variables
- AWS > IAM > Tags Template [Default]
- AWS > IAM > Trusted Accounts [Default]
- AWS > IAM > Trusted Identity Providers [Default]
- AWS > IAM > Trusted Organizations [Default]
- AWS > IAM > Trusted Services [Default]
- AWS > IAM > Turbot
- AWS > IAM > User > Active
- AWS > IAM > User > Active > Age
- AWS > IAM > User > Active > Last Modified
- AWS > IAM > User > Active > Recently Used
- AWS > IAM > User > Approved
- AWS > IAM > User > Approved > Custom
- AWS > IAM > User > Approved > Turbot
- AWS > IAM > User > Approved > Usage
- AWS > IAM > User > Boundary
- AWS > IAM > User > Boundary > Policy
- AWS > IAM > User > CMDB
- AWS > IAM > User > Configured
- AWS > IAM > User > Configured > Claim Precedence
- AWS > IAM > User > Configured > Source
- AWS > IAM > User > Group Memberships > CMDB
- AWS > IAM > User > Group Memberships > Configured
- AWS > IAM > User > Group Memberships > Configured > Claim Precedence
- AWS > IAM > User > Group Memberships > Configured > Source
- AWS > IAM > User > Inline Policy > Approved
- AWS > IAM > User > Inline Policy > Approved > Custom
- AWS > IAM > User > Inline Policy > Approved > Usage
- AWS > IAM > User > Inline Policy > CMDB
- AWS > IAM > User > Inline Policy > Statements
- AWS > IAM > User > Inline Policy > Statements > Approved
- AWS > IAM > User > Inline Policy > Statements > Approved > Administrator Access
- AWS > IAM > User > Inline Policy > Statements > Approved > Compiled Rules
- AWS > IAM > User > Inline Policy > Statements > Approved > Rules
- AWS > IAM > User > Login Profile
- AWS > IAM > User > Policy Attachments
- AWS > IAM > User > Policy Attachments > Approved
- AWS > IAM > User > Policy Attachments > Approved > Compiled Rules
- AWS > IAM > User > Policy Attachments > Approved > Rules
- AWS > IAM > User > Policy Attachments > Required
- AWS > IAM > User > Policy Attachments > Required > Compiled Items
- AWS > IAM > User > Policy Attachments > Required > Items
- AWS > IAM > User > Policy Attachments > Required > Turbot Lockdown
- AWS > IAM > User > Tags
- AWS > IAM > User > Tags > Template
- AWS > IAM > User > Turbot Access Key
- AWS > IAM > User > Turbot Access Key > Rotation
- AWS > IAM > User > Turbot Secret Access Key
- AWS > IAM > User > Usage
- AWS > IAM > User > Usage > Limit
- AWS > IAM > User > User Policy Attachments > Active
- AWS > IAM > User > User Policy Attachments > Active > Last Modified
- AWS > IAM > User > User Policy Attachments > CMDB
- AWS > IAM > User > User Policy Attachments > Configured
- AWS > IAM > User > User Policy Attachments > Configured > Claim Precedence
- AWS > IAM > User > User Policy Attachments > Configured > Source
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-iam
- AWS > Turbot > Permissions
- AWS > Turbot > Permissions > Compiled
- AWS > Turbot > Permissions > Compiled > API Boundary
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-iam
- AWS > Turbot > Permissions > Compiled > Account Permissions
- AWS > Turbot > Permissions > Compiled > Allow Statements
- AWS > Turbot > Permissions > Compiled > Levels
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-iam
- AWS > Turbot > Permissions > Compiled > Lockdown Statements
- AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-iam
- AWS > Turbot > Permissions > Compiled > Service Permissions
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-iam
- AWS > Turbot > Permissions > Custom Levels [Account]
- AWS > Turbot > Permissions > Custom Levels [Folder]
- AWS > Turbot > Permissions > Group
- AWS > Turbot > Permissions > Group > Name Path
- AWS > Turbot > Permissions > Group > Name Prefix
- AWS > Turbot > Permissions > Levels
- AWS > Turbot > Permissions > Levels > Modifiers
- AWS > Turbot > Permissions > Levels [Default]
- AWS > Turbot > Permissions > Lockdown
- AWS > Turbot > Permissions > Lockdown > API Boundary
- AWS > Turbot > Permissions > Lockdown > Region Boundary
- AWS > Turbot > Permissions > Lockdown > Regions
- AWS > Turbot > Permissions > Name Path [Default]
- AWS > Turbot > Permissions > Name Prefix [Default]
- AWS > Turbot > Permissions > Policy
- AWS > Turbot > Permissions > Policy > Name Path
- AWS > Turbot > Permissions > Policy > Name Prefix
- AWS > Turbot > Permissions > Role
- AWS > Turbot > Permissions > Role > Name Path
- AWS > Turbot > Permissions > Role > Name Prefix
- AWS > Turbot > Permissions > Role > Session Timeout
- AWS > Turbot > Permissions > Role > Tags
- AWS > Turbot > Permissions > Source
- AWS > Turbot > Permissions > Superuser Boundary
- AWS > Turbot > Permissions > Tags Default
- AWS > Turbot > Permissions > Terraform Version
- AWS > Turbot > Permissions > User
- AWS > Turbot > Permissions > User > Access Keys Enabled
- AWS > Turbot > Permissions > User > Group Membership Mode
- AWS > Turbot > Permissions > User > Name Path
- AWS > Turbot > Permissions > User > Session Timeout
- AWS > Turbot > Permissions > User > Tags
- AWS > Turbot > Permissions > User Boundary
- Turbot > IAM > Permissions > Compiled > Levels > AWS
- Turbot > IAM > Permissions > Compiled > Levels > AWS [Turbot]
AWS > Account > Permissions
AWS > Account > Permissions > Lockdown
AWS > Account > Permissions > Lockdown > Budget
Configure lockdown policies to restrict APIs based on the\nbudget state (when the current spend exceeds a defined threshold).\n
[ "Skip", "Restrict APIs per `Lockdown > Budget > Restricted APIs`"]
{ "type": "string", "enum": [ "Skip", "Restrict APIs per `Lockdown > Budget > Restricted APIs`" ], "default": "Skip"}
AWS > Account > Permissions > Lockdown > Budget > Restricted APIs
A yaml object that contains a list of APIs that should\nbe restricted when the budget reaches a specific state.\n\nFor example, to restrict users from running and starting\nnew ec2 instances, starting RDS databases, or creating\nRedshift clusters when the budget state is Critical or\nhigher, enter:\n\n\nCritical:\n - ec2:RunInstance\n - ec2:StartInstance\n - rds:StartDB*\n - redshift:createcluster\n
\n
AWS > IAM > API Enabled
Configure whether the AWS S3 API is enabled.\n\nNote: Disabling the service disables the API for ALL users\nand roles, and Guardrails will have no access to the API.\n
[ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled" ], "default": "Enabled"}
AWS > IAM > Access Analyzer > Active
Determine the action to take when an AWS IAM access analyzer, based on the AWS > IAM > Access Analyzer > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Active > Age
The age after which the AWS IAM access analyzer\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Active > Last Modified
The number of days since the AWS IAM access analyzer\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Approved
Determine the action to take when an AWS IAM access analyzer is not approved based on AWS > IAM > Access Analyzer > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Approved > Custom
Determine whether the AWS IAM access analyzer is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Access Analyzer > Approved > Regions
A list of AWS regions in which AWS IAM access analyzers are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved
policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/accessAnalyzerRegions\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > IAM > Access Analyzer > Approved > Usage
Determine whether the AWS IAM access analyzer is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Access Analyzer > CMDB
Configure whether to record and synchronize details for the AWS IAM access analyzer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > IAM > Access Analyzer > Regions
policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Access Analyzer > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Access Analyzer > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Access Analyzer > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Access Analyzer > Regions
A list of AWS regions in which AWS IAM access analyzers are supported for use.\n\nAny access analyzers in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}
AWS > IAM > Access Analyzer > Tags
Determine the action to take when an AWS IAM access analyzer tags are not updated based on the AWS > IAM > Access Analyzer > Tags > *
policies.\n\nThe control ensure AWS IAM access analyzer tags include tags defined in AWS > IAM > Access Analyzer > Tags > Template
.\n\nTags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Tags > Template
The template is used to generate the keys and values for AWS IAM access analyzer.\n\nTags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > Access Key > Active
Determine the action to take when an AWS IAM access key, based on the AWS > IAM > Access Key > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning", "Enforce: Deactivate inactive with 1 day warning", "Enforce: Deactivate inactive with 3 days warning", "Enforce: Deactivate inactive with 7 days warning", "Enforce: Deactivate inactive with 14 days warning", "Enforce: Deactivate inactive with 30 days warning", "Enforce: Deactivate inactive with 60 days warning", "Enforce: Deactivate inactive with 90 days warning", "Enforce: Deactivate inactive with 180 days warning", "Enforce: Deactivate inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning", "Enforce: Deactivate inactive with 1 day warning", "Enforce: Deactivate inactive with 3 days warning", "Enforce: Deactivate inactive with 7 days warning", "Enforce: Deactivate inactive with 14 days warning", "Enforce: Deactivate inactive with 30 days warning", "Enforce: Deactivate inactive with 60 days warning", "Enforce: Deactivate inactive with 90 days warning", "Enforce: Deactivate inactive with 180 days warning", "Enforce: Deactivate inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Age
The age after which the AWS IAM access key\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Last Modified
The number of days since the AWS IAM access key\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Recently Used
The number of days since the AWS IAM access key was last used before it is considered inactive.\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\nSee Active for more information.\n
[ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days" ], "example": [ "Active if recently used <= 90 days" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Status
The policy allows you to\ncheck which status determines if the AWS IAM access key is active.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n\nThe policy values for AWS IAM access key are deprecated and replaced by new values.\nThe deprecated values will be removed in next major version.\n\n| Deprecated Values | Current Values |\n|-------------------------------------|----------------------------------------|\n| Active if status is active | Active if $.Status is active |\n| Force active if status is active | Force active if $.Status is active |\n
[ "Skip", "Active if status is active", "Force active if status is active", "Active if $.Status is active", "Force active if $.Status is active"]
{ "type": "string", "enum": [ "Skip", "Active if status is active", "Force active if status is active", "Active if $.Status is active", "Force active if $.Status is active" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Access Key > CMDB
Configure whether to record and synchronize details for the AWS IAM access key into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Access Key > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Access Key > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Access Key > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Access Key > Usage
Configure the number of AWS IAM access keys that can be used for this user and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > Access Key > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > Access Key > Usage > Limit
Maximum number of items that can be created for this user.
{ "type": "integer", "minimum": 0, "default": 2}
AWS > IAM > Account Password Policy > CMDB
Configure whether to record and synchronize details for the AWS IAM account password policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Account Password Policy > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Account Password Policy > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Account Password Policy > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Account Password Policy > Settings
Check if the IAM account password policy is in sync with the account password settings policies.
[ "Skip", "Check: Configured", "Enforce: Configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Enforce: Configured" ], "example": [ "Check: Configured" ], "default": "Skip"}
AWS > IAM > Account Password Policy > Settings > Allow Users to Change
You can permit all IAM users in your account to use the IAM console to change their own passwords, as described in Permitting IAM users to change their own passwords.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Hard Expiry
You can prevent IAM users from choosing a new password after their current password has expired. For example, a password policy can specify a password expiration period. If an IAM user fails to choose a new password before the expiration period ends, the IAM user cannot set a new password. In that case, the IAM user must request a password reset from an account administrator in order to regain access to the AWS Management Console. You can also leave this check box cleared. If an IAM user allows his or her password to expire, the user in this scenario is required to set a new password before accessing the AWS Management Console.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Max Age
You can set IAM user passwords to be valid for only the specified number of days. You specify the number of days that passwords remain valid after they are set. For example, when you enable password expiration and set the password expiration period to 90 days, an IAM user can use a password for up to 90 days. After 90 days, the password expires and the IAM user must set a new password before accessing the AWS Management Console. You can choose a password expiration period between 1 and 1095 days, inclusive.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
{ "type": "integer", "minimum": 1, "maximum": 1095, "example": 90, "default": 90}
AWS > IAM > Account Password Policy > Settings > Minimum Length
You can specify the minimum number of characters allowed in an IAM user password. You can type any number from 6 to 128.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
{ "type": "integer", "minimum": 6, "maximum": 128, "example": 14, "default": 14}
AWS > IAM > Account Password Policy > Settings > Require Lowercase Characters
You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Require Numbers
You can require that IAM user passwords contain at least one numeric character (0 to 9).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Require Symbols
You can require that IAM user passwords contain at least one of the following nonalphanumeric characters:\n! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Require Uppercase Characters
You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Reuse Prevention
You can prevent IAM users from reusing a specified number of previous passwords. You can set the number of previous passwords from 1 to 24, inclusive.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n
{ "type": "integer", "minimum": 1, "maximum": 24, "example": 5, "default": 5}
AWS > IAM > Account Summary > CMDB
Configure whether to record and synchronize details for the AWS IAM account summary into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Credential Report > CMDB
Configure whether to record and synchronize details for the AWS IAM credential report into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Enabled
Enabled IAM.
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
AWS > IAM > Group > Active
Determine the action to take when an AWS IAM group, based on the AWS > IAM > Group > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Group > Active > Age
The age after which the AWS IAM group\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Group > Active > Budget
The impact of the budget state on the active control. This policy allows you to force\ngroups to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State
\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Group > Active > Last Modified
The number of days since the AWS IAM group\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Group > Approved
Determine the action to take when an AWS IAM group is not approved based on AWS > IAM > Group > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Group > Approved > Budget
The policy allows you to set groups to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not matched by the approved list, it will be subject to the action specified in the AWS > IAM > Group > Approved
policy.\n\nSee Approved for more information.\n
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > IAM > Group > Approved > Custom
Determine whether the AWS IAM group is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Group > Approved > Turbot
Determine whether IAM Policies that are defined and configured by Guardrails (for example, from the Permissions stack or the Service Roles stack) will always be approved.\n
[ "Skip", "Force Approved for Turbot Group"]
{ "type": "string", "enum": [ "Skip", "Force Approved for Turbot Group" ], "default": "Force Approved for Turbot Group"}
AWS > IAM > Group > Approved > Usage
Determine whether the AWS IAM group is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Group > CMDB
Configure whether to record and synchronize details for the AWS IAM group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Group > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Group > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Group > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Group > Group Policy Attachments > Active
Check if the AWS IAM Grouppolicyattachment is active based on AWS > IAM > Grouppolicyattachment > Active > * policies.
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Group > Group Policy Attachments > Active > Last Modified
Check if AWS groupPolicyAttachment is active based on when it was last modified.
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Group > Group Policy Attachments > CMDB
Configure whether to record and synchronize details for the AWS IAM group policy attachments into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Group > Group Policy Attachments > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Group > Group Policy Attachments > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Group > Inline Policy > Approved
Determine the action to take when an AWS IAM group inline policy is not approved based on AWS > IAM > Group > Inline Policy > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Group > Inline Policy > Approved > Custom
Determine whether the AWS IAM group inline policy is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Group > Inline Policy > Approved > Usage
Determine whether the AWS IAM group inline policy is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Group > Inline Policy > CMDB
Configure whether to record and synchronize details for the AWS IAM group inline policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Group > Inline Policy > Statements
AWS > IAM > Group > Inline Policy > Statements > Approved
Configure IAM Policy Statements checking. This policy defines whether to verify the\npolicy statements are approved, as well as the subsequent action to take on unapproved\nstatements.\n\nRules for all Approved policies will be compiled in Approved > Compiled Rules\nand then evaluated. If set to "Enforce: Delete unapproved", any unapproved statements\nwill be removed from the policy.\n
[ "Skip", "Check: Approved", "Enforce: Delete Unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete Unapproved" ], "default": "Skip"}
AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access
If set to "Disabled", IAM Policy statements that allow any action ('') on any resource ('') will be unapproved.\n
[ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies"]
{ "type": "string", "enum": [ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies" ], "default": "Enabled: Allow Administrator Access ('*:*') policies"}
AWS > IAM > Group > Inline Policy > Statements > Approved > Compiled Rules
A read-only Object Control List (OCL) to approved or reject policy statements for an IAM policy. This policy is generated by Guardrails based on the "Approved > *" policies.\n
{ "type": "string"}
AWS > IAM > Group > Inline Policy > Statements > Approved > Rules
An Object Control List (OCL) with a list of filter rules to approve or reject IAM policy statements. Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.\nThis is the last statement, so all unmatched items will be (approved/rejected) by this statement.\n\nNote: Removing APPROVE * will reject all the unmatched rules.\n
{ "type": "string", "default": "# Approve(APPROVE *) / Reject(REJECT *) unmatched rules.\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Group > Policy Attachments
AWS > IAM > Group > Policy Attachments > Approved
Configure AWS IAM group policy attachments Approved
checking. This policy\ndefines whether to verify the IAM group attached policies are approved\n(per Approved > Compiled Rules
), as well as the subsequent action to\ntake on unapproved items.\nIf set to "Enforce: Delete unapproved", any unapproved attached policy\nwill be removed.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Group > Policy Attachments > Approved > Compiled Rules
A read-only Object Control List (OCL) to add or\nremove IAM Policy from a IAM group.\nThis policy is generated by Turbot.\n
{ "type": "string"}
AWS > IAM > Group > Policy Attachments > Approved > Rules
An Object Control List (OCL) with a list of filter rules\nto approve or reject policies.\nNote that the Approved control does not operate directly from this policy,\nbut from the Approved > Compiled Rules
. The rules are processed in order,\nand any built-in Guardrails rules will appear first in the list of compiled rules.\n
{ "type": "string", "default": "# Approve rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Group > Policy Attachments > Required
Configure whether required policies should be attached to a group.\nIf set to Enforce, policies in Required > Items will be attached to the group.\n
[ "Skip", "Check: Required > Items", "Enforce: Required > Items"]
{ "type": "string", "enum": [ "Skip", "Check: Required > Items", "Enforce: Required > Items" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Group > Policy Attachments > Required > Compiled Items
A list of IAM policies that must be attached to a group.\n\nThis is a read-only policy that is generated by Turbot\n
{ "type": "array"}
AWS > IAM > Group > Policy Attachments > Required > Items
A list of IAM policies that must be attached to a group.
{ "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 128, "pattern": "^[A-Za-z0-9_+=,.@-]+$" }, "default": []}
AWS > IAM > Group > Usage
Configure the number of AWS IAM groups that can be used for this account and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > Group > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > Group > Usage > Limit
Maximum number of items that can be created for this account.
{ "type": "integer", "minimum": 0, "default": 300}
AWS > IAM > Instance Profile > CMDB
Configure whether to record and synchronize details for the AWS IAM instance profile into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Instance Profile > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Instance Profile > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Instance Profile > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Login User Names
AWS IAM user login names
"{\n profile{\n profileId\n }\n}\n"
"{% if $.profile.profileId %}- '{{ $.profile.profileId }}'{% else %} [] {% endif %}"
{ "type": "array"}
AWS > IAM > MFA Virtual > Active
Check if the AWS IAM Mfavirtual is active based on AWS > IAM > Mfavirtual > Active > * policies.
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > MFA Virtual > Active > Last Modified
Check if AWS mfaVirtual is active based on when it was last modified.
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > MFA Virtual > CMDB
Configure whether to record and synchronize details for the AWS IAM Multi Factor Authentication(MFA) Virtual into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > OpenID Connect > Active
Determine the action to take when an AWS IAM openid connect, based on the AWS > IAM > OpenID Connect > Active > *
policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *
), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Active > Age
The age after which the AWS IAM openid connect\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Active > Last Modified
The number of days since the AWS IAM openid connect\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *
),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Approved
Determine the action to take when an AWS IAM openid connect is not approved based on AWS > IAM > OpenID Connect > Approved > *
policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Approved > Custom
Determine whether the AWS IAM openid connect is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved
policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > OpenID Connect > Approved > Usage
Determine whether the AWS IAM openid connect is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved
policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > OpenID Connect > CMDB
Configure whether to record and synchronize details for the AWS IAM openid connect into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > OpenID Connect > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > OpenID Connect > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > OpenID Connect > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > OpenID Connect > Tags
Determine the action to take when an AWS IAM openid connect tags are not updated based on the AWS > IAM > OpenID Connect > Tags > *
policies.\n\nThe control ensure AWS IAM openid connect tags include tags defined in AWS > IAM > OpenID Connect > Tags > Template
.\n\nTags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Tags > Template
The template is used to generate the keys and values for AWS IAM openid connect.\n\nTags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > OpenID Connect > Usage
Configure the number of AWS IAM openid connects that can be used for this account and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > OpenID Connect > Usage
policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Usage > Limit
Maximum number of items that can be created for this account.
{ "type": "integer", "minimum": 0, "default": 100}
AWS > IAM > Permissions
Configure whether permissions policies are in effect for AWS IAM. This setting does\nnot affect account level permissions (AWS/Admin, AWS/Owner, etc).\n\nNote: The behavior of this policy depends on the value of AWS > Permissions
.\n
[ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled" ], "example": [ "Enabled" ], "default": "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"}
AWS > IAM > Permissions > Levels
Define the permissions levels that can be used to grant access to an AWS account.\nPermissions levels defined will appear in the UI to assign access to Guardrails users.\nThis policy provides a default for Permissions > Levels
in each service,\nhowever you can explicitly override the