Product logo
DocsBlogPricing

Policy types for @turbot/aws-iam

AWS > Account > Permissions

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissions
Category
Parent
Targets

AWS > Account > Permissions > Lockdown

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdown
Category
Parent
Targets

AWS > Account > Permissions > Lockdown > Budget

Configure lockdown policies to restrict APIs based on the\nbudget state (when the current spend exceeds a defined threshold).\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdownBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Restrict APIs per `Lockdown > Budget > Restricted APIs`"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Restrict APIs per `Lockdown > Budget > Restricted APIs`"
  ],
  "default": "Skip"
}

AWS > Account > Permissions > Lockdown > Budget > Restricted APIs

A yaml object that contains a list of APIs that should\nbe restricted when the budget reaches a specific state.\n\nFor example, to restrict users from running and starting\nnew ec2 instances, starting RDS databases, or creating\nRedshift clusters when the budget state is Critical or\nhigher, enter:\n\n\nCritical:\n - ec2:RunInstance\n - ec2:StartInstance\n - rds:StartDB*\n - redshift:createcluster\n\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdownBudgetRestrictedApis
Category
Parent
Targets
Schema

AWS > IAM > API Enabled

Configure whether the AWS S3 API is enabled.\n\nNote: Disabling the service disables the API for ALL users\nand roles, and Guardrails will have no access to the API.\n

URI
tmod:@turbot/aws-iam#/policy/types/iamApiEnabled
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled",
  "Enabled if AWS > IAM > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if AWS > IAM > Enabled"
  ],
  "default": "Enabled"
}

AWS > IAM > Access Analyzer > Active

Determine the action to take when an AWS IAM access analyzer, based on the AWS > IAM > Access Analyzer > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > IAM > Access Analyzer > Active > Age

The age after which the AWS IAM access analyzer\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Access Analyzer > Active > Last Modified

The number of days since the AWS IAM access analyzer\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Analyzer > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Access Analyzer > Approved

Determine the action to take when an AWS IAM access analyzer is not approved based on AWS > IAM > Access Analyzer > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > IAM > Access Analyzer > Approved > Custom

Determine whether the AWS IAM access analyzer is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > IAM > Access Analyzer > Approved > Regions

A list of AWS regions in which AWS IAM access analyzers are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/accessAnalyzerRegions\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > IAM > Access Analyzer > Approved > Usage

Determine whether the AWS IAM access analyzer is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > IAM > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > IAM > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > Access Analyzer > CMDB

Configure whether to record and synchronize details for the AWS IAM access analyzer into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > IAM > Access Analyzer > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Access Analyzer > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Access Analyzer > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > IAM > Access Analyzer > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > IAM > Access Analyzer > Regions

A list of AWS regions in which AWS IAM access analyzers are supported for use.\n\nAny access analyzers in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "eu-central-1",
        "eu-north-1",
        "eu-south-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-east-1",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > IAM > Access Analyzer > Tags

Determine the action to take when an AWS IAM access analyzer tags are not updated based on the AWS > IAM > Access Analyzer > Tags > * policies.\n\nThe control ensure AWS IAM access analyzer tags include tags defined in AWS > IAM > Access Analyzer > Tags > Template.\n\nTags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > IAM > Access Analyzer > Tags > Template

The template is used to generate the keys and values for AWS IAM access analyzer.\n\nTags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > IAM > Access Key > Active

Determine the action to take when an AWS IAM access key, based on the AWS > IAM > Access Key > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning",
  "Enforce: Deactivate inactive with 1 day warning",
  "Enforce: Deactivate inactive with 3 days warning",
  "Enforce: Deactivate inactive with 7 days warning",
  "Enforce: Deactivate inactive with 14 days warning",
  "Enforce: Deactivate inactive with 30 days warning",
  "Enforce: Deactivate inactive with 60 days warning",
  "Enforce: Deactivate inactive with 90 days warning",
  "Enforce: Deactivate inactive with 180 days warning",
  "Enforce: Deactivate inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning",
    "Enforce: Deactivate inactive with 1 day warning",
    "Enforce: Deactivate inactive with 3 days warning",
    "Enforce: Deactivate inactive with 7 days warning",
    "Enforce: Deactivate inactive with 14 days warning",
    "Enforce: Deactivate inactive with 30 days warning",
    "Enforce: Deactivate inactive with 60 days warning",
    "Enforce: Deactivate inactive with 90 days warning",
    "Enforce: Deactivate inactive with 180 days warning",
    "Enforce: Deactivate inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > IAM > Access Key > Active > Age

The age after which the AWS IAM access key\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Access Key > Active > Last Modified

The number of days since the AWS IAM access key\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Access Key > Active > Recently Used

The number of days since the AWS IAM access key was last used before it is considered inactive.\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveRecentlyUsed
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if recently used <= 1 day",
  "Active if recently used <= 3 days",
  "Active if recently used <= 7 days",
  "Active if recently used <= 14 days",
  "Active if recently used <= 30 days",
  "Active if recently used <= 60 days",
  "Active if recently used <= 90 days",
  "Active if recently used <= 180 days",
  "Active if recently used <= 365 days",
  "Force active if recently used <= 1 day",
  "Force active if recently used <= 3 days",
  "Force active if recently used <= 7 days",
  "Force active if recently used <= 14 days",
  "Force active if recently used <= 30 days",
  "Force active if recently used <= 60 days",
  "Force active if recently used <= 90 days",
  "Force active if recently used <= 180 days",
  "Force active if recently used <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if recently used <= 1 day",
    "Active if recently used <= 3 days",
    "Active if recently used <= 7 days",
    "Active if recently used <= 14 days",
    "Active if recently used <= 30 days",
    "Active if recently used <= 60 days",
    "Active if recently used <= 90 days",
    "Active if recently used <= 180 days",
    "Active if recently used <= 365 days",
    "Force active if recently used <= 1 day",
    "Force active if recently used <= 3 days",
    "Force active if recently used <= 7 days",
    "Force active if recently used <= 14 days",
    "Force active if recently used <= 30 days",
    "Force active if recently used <= 60 days",
    "Force active if recently used <= 90 days",
    "Force active if recently used <= 180 days",
    "Force active if recently used <= 365 days"
  ],
  "example": [
    "Active if recently used <= 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Access Key > Active > Status

The policy allows you to\ncheck which status determines if the AWS IAM access key is active.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Access Key > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n\nThe policy values for AWS IAM access key are deprecated and replaced by new values.\nThe deprecated values will be removed in next major version.\n\n| Deprecated Values | Current Values |\n|-------------------------------------|----------------------------------------|\n| Active if status is active | Active if $.Status is active |\n| Force active if status is active | Force active if $.Status is active |\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveStatus
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if status is active",
  "Force active if status is active",
  "Active if $.Status is active",
  "Force active if $.Status is active"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if status is active",
    "Force active if status is active",
    "Active if $.Status is active",
    "Force active if $.Status is active"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > IAM > Access Key > CMDB

Configure whether to record and synchronize details for the AWS IAM access key into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Access Key > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Access Key > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > IAM > Access Key > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > IAM > Access Key > Usage

Configure the number of AWS IAM access keys that can be used for this user and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > Access Key > Usage policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > IAM > Access Key > Usage > Limit

Maximum number of items that can be created for this user.

URI
tmod:@turbot/aws-iam#/policy/types/accessKeyUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 2
}

AWS > IAM > Account Password Policy > CMDB

Configure whether to record and synchronize details for the AWS IAM account password policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Account Password Policy > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Account Password Policy > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > IAM > Account Password Policy > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > IAM > Account Password Policy > Settings

Check if the IAM account password policy is in sync with the account password settings policies.

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettings
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Enforce: Configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Enforce: Configured"
  ],
  "example": [
    "Check: Configured"
  ],
  "default": "Skip"
}

AWS > IAM > Account Password Policy > Settings > Allow Users to Change

You can permit all IAM users in your account to use the IAM console to change their own passwords, as described in Permitting IAM users to change their own passwords.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsAllowUsersToChange
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "example": "Enabled",
  "default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Hard Expiry

You can prevent IAM users from choosing a new password after their current password has expired. For example, a password policy can specify a password expiration period. If an IAM user fails to choose a new password before the expiration period ends, the IAM user cannot set a new password. In that case, the IAM user must request a password reset from an account administrator in order to regain access to the AWS Management Console. You can also leave this check box cleared. If an IAM user allows his or her password to expire, the user in this scenario is required to set a new password before accessing the AWS Management Console.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsHardExpiry
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "example": "Enabled",
  "default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Max Age

You can set IAM user passwords to be valid for only the specified number of days. You specify the number of days that passwords remain valid after they are set. For example, when you enable password expiration and set the password expiration period to 90 days, an IAM user can use a password for up to 90 days. After 90 days, the password expires and the IAM user must set a new password before accessing the AWS Management Console. You can choose a password expiration period between 1 and 1095 days, inclusive.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMaxAge
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 1,
  "maximum": 1095,
  "example": 90,
  "default": 90
}

AWS > IAM > Account Password Policy > Settings > Minimum Length

You can specify the minimum number of characters allowed in an IAM user password. You can type any number from 6 to 128.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMinimumLength
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 6,
  "maximum": 128,
  "example": 14,
  "default": 14
}

AWS > IAM > Account Password Policy > Settings > Require Lowercase Characters

You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireLowercaseCharacters
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "example": "Enabled",
  "default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Require Numbers

You can require that IAM user passwords contain at least one numeric character (0 to 9).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireNumbers
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "example": "Enabled",
  "default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Require Symbols

You can require that IAM user passwords contain at least one of the following nonalphanumeric characters:\n! @ # $ % ^ &amp; * ( ) _ + - = [ ] { } | &#39;\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireSymbols
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "example": "Enabled",
  "default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Require Uppercase Characters

You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireUppercaseCharacters
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "example": "Enabled",
  "default": "Enabled"
}

AWS > IAM > Account Password Policy > Settings > Reuse Prevention

You can prevent IAM users from reusing a specified number of previous passwords. You can set the number of previous passwords from 1 to 24, inclusive.\n\nRefer to Setting an account password policy for IAM users for more information on account password policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsReusePrevention
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 1,
  "maximum": 24,
  "example": 5,
  "default": 5
}

AWS > IAM > Account Summary > CMDB

Configure whether to record and synchronize details for the AWS IAM account summary into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/accountSummaryCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Credential Report > CMDB

Configure whether to record and synchronize details for the AWS IAM credential report into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/credentialReportCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Enabled

Enabled IAM.

URI
tmod:@turbot/aws-iam#/policy/types/iamEnabled
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Enabled: Metadata Only",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Enabled: Metadata Only",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Disabled"
}

AWS > IAM > Group > Active

Determine the action to take when an AWS IAM group, based on the AWS > IAM > Group > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Active > Age

The age after which the AWS IAM group\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Active > Budget

The impact of the budget state on the active control. This policy allows you to force\ngroups to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActiveBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Active > Last Modified

The number of days since the AWS IAM group\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Approved

Determine the action to take when an AWS IAM group is not approved based on AWS > IAM > Group > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Approved > Budget

The policy allows you to set groups to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not matched by the approved list, it will be subject to the action specified in the AWS > IAM > Group > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Approved > Custom

Determine whether the AWS IAM group is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > IAM > Group > Approved > Turbot

Determine whether IAM Policies that are defined and configured by Guardrails (for example, from the Permissions stack or the Service Roles stack) will always be approved.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedTurbot
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force Approved for Turbot Group"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force Approved for Turbot Group"
  ],
  "default": "Force Approved for Turbot Group"
}

AWS > IAM > Group > Approved > Usage

Determine whether the AWS IAM group is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > IAM > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > IAM > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > Group > CMDB

Configure whether to record and synchronize details for the AWS IAM group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/groupCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Group > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/groupConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Group > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > IAM > Group > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/groupConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > IAM > Group > Group Policy Attachments > Active

Check if the AWS IAM Grouppolicyattachment is active based on AWS > IAM > Grouppolicyattachment > Active > * policies.

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Group Policy Attachments > Active > Last Modified

Check if AWS groupPolicyAttachment is active based on when it was last modified.

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Group Policy Attachments > CMDB

Configure whether to record and synchronize details for the AWS IAM group policy attachments into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Group > Group Policy Attachments > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > IAM > Group > Group Policy Attachments > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > IAM > Group > Inline Policy > Approved

Determine the action to take when an AWS IAM group inline policy is not approved based on AWS > IAM > Group > Inline Policy > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Inline Policy > Approved > Custom

Determine whether the AWS IAM group inline policy is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > IAM > Group > Inline Policy > Approved > Usage

Determine whether the AWS IAM group inline policy is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > IAM > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > IAM > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > Group > Inline Policy > CMDB

Configure whether to record and synchronize details for the AWS IAM group inline policy into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Group > Inline Policy > Statements

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatements
Category
Parent
Targets

AWS > IAM > Group > Inline Policy > Statements > Approved

Configure IAM Policy Statements checking. This policy defines whether to verify the\npolicy statements are approved, as well as the subsequent action to take on unapproved\nstatements.\n\nRules for all Approved policies will be compiled in Approved > Compiled Rules\nand then evaluated. If set to "Enforce: Delete unapproved", any unapproved statements\nwill be removed from the policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete Unapproved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete Unapproved"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access

If set to "Disabled", IAM Policy statements that allow any action ('') on any resource ('') will be unapproved.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedAdminAccess
Category
Parent
Targets
Valid Value
[
  "Enabled: Allow Administrator Access ('*:*') policies",
  "Disabled: Disallow Administrator Access ('*:*') policies"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled: Allow Administrator Access ('*:*') policies",
    "Disabled: Disallow Administrator Access ('*:*') policies"
  ],
  "default": "Enabled: Allow Administrator Access ('*:*') policies"
}

AWS > IAM > Group > Inline Policy > Statements > Approved > Compiled Rules

A read-only Object Control List (OCL) to approved or reject policy statements for an IAM policy. This policy is generated by Guardrails based on the "Approved > *" policies.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedCompiledRules
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > IAM > Group > Inline Policy > Statements > Approved > Rules

An Object Control List (OCL) with a list of filter rules to approve or reject IAM policy statements. Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.\nThis is the last statement, so all unmatched items will be (approved/rejected) by this statement.\n\nNote: Removing APPROVE * will reject all the unmatched rules.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedRules
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "# Approve(APPROVE *) / Reject(REJECT *) unmatched rules.\nAPPROVE *",
  "x-schema-form": {
    "type": "textarea"
  }
}

AWS > IAM > Group > Policy Attachments

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttached
Category
Parent
Targets

AWS > IAM > Group > Policy Attachments > Approved

Configure AWS IAM group policy attachments Approved checking. This policy\ndefines whether to verify the IAM group attached policies are approved\n(per Approved > Compiled Rules), as well as the subsequent action to\ntake on unapproved items.\nIf set to "Enforce: Delete unapproved", any unapproved attached policy\nwill be removed.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Policy Attachments > Approved > Compiled Rules

A read-only Object Control List (OCL) to add or\nremove IAM Policy from a IAM group.\nThis policy is generated by Turbot.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApprovedCompiledRules
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > IAM > Group > Policy Attachments > Approved > Rules

An Object Control List (OCL) with a list of filter rules\nto approve or reject policies.\nNote that the Approved control does not operate directly from this policy,\nbut from the Approved > Compiled Rules. The rules are processed in order,\nand any built-in Guardrails rules will appear first in the list of compiled rules.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApprovedRules
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "# Approve rules\nAPPROVE *",
  "x-schema-form": {
    "type": "textarea"
  }
}

AWS > IAM > Group > Policy Attachments > Required

Configure whether required policies should be attached to a group.\nIf set to Enforce, policies in Required > Items will be attached to the group.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequired
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Required > Items",
  "Enforce: Required > Items"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Required > Items",
    "Enforce: Required > Items"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Policy Attachments > Required > Compiled Items

A list of IAM policies that must be attached to a group.\n\nThis is a read-only policy that is generated by Turbot\n

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequiredCompiledItems
Category
Parent
Targets
Schema
{
  "type": "array"
}

AWS > IAM > Group > Policy Attachments > Required > Items

A list of IAM policies that must be attached to a group.

URI
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequiredItems
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "minLength": 1,
    "maxLength": 128,
    "pattern": "^[A-Za-z0-9_+=,.@-]+$"
  },
  "default": []
}

AWS > IAM > Group > Usage

Configure the number of AWS IAM groups that can be used for this account and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > Group > Usage policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/groupUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > IAM > Group > Usage > Limit

Maximum number of items that can be created for this account.

URI
tmod:@turbot/aws-iam#/policy/types/groupUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 300
}

AWS > IAM > Instance Profile > CMDB

Configure whether to record and synchronize details for the AWS IAM instance profile into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > Instance Profile > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > IAM > Instance Profile > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > IAM > Instance Profile > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > IAM > Login User Names

AWS IAM user login names

URI
tmod:@turbot/aws-iam#/policy/types/loginUserNames
Category
Parent
Targets
Default Template Input
"{\n  profile{\n    profileId\n  }\n}\n"
Default Template
"{% if $.profile.profileId %}- &#39;{{ $.profile.profileId }}&#39;{% else %} [] {% endif %}"
Schema
{
  "type": "array"
}

AWS > IAM > MFA Virtual > Active

Check if the AWS IAM Mfavirtual is active based on AWS > IAM > Mfavirtual > Active > * policies.

URI
tmod:@turbot/aws-iam#/policy/types/mfaVirtualActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > IAM > MFA Virtual > Active > Last Modified

Check if AWS mfaVirtual is active based on when it was last modified.

URI
tmod:@turbot/aws-iam#/policy/types/mfaVirtualActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > MFA Virtual > CMDB

Configure whether to record and synchronize details for the AWS IAM Multi Factor Authentication(MFA) Virtual into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/mfaVirtualCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > OpenID Connect > Active

Determine the action to take when an AWS IAM openid connect, based on the AWS > IAM > OpenID Connect > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > IAM > OpenID Connect > Active > Age

The age after which the AWS IAM openid connect\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > OpenID Connect > Active > Last Modified

The number of days since the AWS IAM openid connect\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > IAM > OpenID Connect > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > IAM > OpenID Connect > Approved

Determine the action to take when an AWS IAM openid connect is not approved based on AWS > IAM > OpenID Connect > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > IAM > OpenID Connect > Approved > Custom

Determine whether the AWS IAM openid connect is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > IAM > OpenID Connect > Approved > Usage

Determine whether the AWS IAM openid connect is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved policy.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > IAM > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > IAM > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > IAM > Enabled"
}

AWS > IAM > OpenID Connect > CMDB

Configure whether to record and synchronize details for the AWS IAM openid connect into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > IAM > OpenID Connect > Configured

Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > IAM > OpenID Connect > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > IAM > OpenID Connect > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > IAM > OpenID Connect > Tags

Determine the action to take when an AWS IAM openid connect tags are not updated based on the AWS > IAM > OpenID Connect > Tags > * policies.\n\nThe control ensure AWS IAM openid connect tags include tags defined in AWS > IAM > OpenID Connect > Tags > Template.\n\nTags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > IAM > OpenID Connect > Tags > Template

The template is used to generate the keys and values for AWS IAM openid connect.\n\nTags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > IAM > OpenID Connect > Usage

Configure the number of AWS IAM openid connects that can be used for this account and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > IAM > OpenID Connect > Usage policy.\n

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > IAM > OpenID Connect > Usage > Limit

Maximum number of items that can be created for this account.

URI
tmod:@turbot/aws-iam#/policy/types/openIdConnectUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

AWS > IAM > Permissions

Configure whether permissions policies are in effect for AWS IAM. This setting does\nnot affect account level permissions (AWS/Admin, AWS/Owner, etc).\n\nNote: The behavior of this policy depends on the value of AWS > Permissions.\n

URI
tmod:@turbot/aws-iam#/policy/types/iamPermissions
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled",
  "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"
}

AWS > IAM > Permissions > Levels

Define the permissions levels that can be used to grant access to an AWS account.\nPermissions levels defined will appear in the UI to assign access to Guardrails users.\nThis policy provides a default for Permissions > Levels in each service,\nhowever you can explicitly override the