Policy types for @turbot/aws-iam
- AWS > Account > Permissions
- AWS > Account > Permissions > Lockdown
- AWS > Account > Permissions > Lockdown > Budget
- AWS > Account > Permissions > Lockdown > Budget > Restricted APIs
- AWS > IAM > API Enabled
- AWS > IAM > Access Analyzer > Active
- AWS > IAM > Access Analyzer > Active > Age
- AWS > IAM > Access Analyzer > Active > Last Modified
- AWS > IAM > Access Analyzer > Approved
- AWS > IAM > Access Analyzer > Approved > Custom
- AWS > IAM > Access Analyzer > Approved > Regions
- AWS > IAM > Access Analyzer > Approved > Usage
- AWS > IAM > Access Analyzer > CMDB
- AWS > IAM > Access Analyzer > Configured
- AWS > IAM > Access Analyzer > Configured > Claim Precedence
- AWS > IAM > Access Analyzer > Configured > Source
- AWS > IAM > Access Analyzer > Regions
- AWS > IAM > Access Analyzer > Tags
- AWS > IAM > Access Analyzer > Tags > Template
- AWS > IAM > Access Key > Active
- AWS > IAM > Access Key > Active > Age
- AWS > IAM > Access Key > Active > Last Modified
- AWS > IAM > Access Key > Active > Recently Used
- AWS > IAM > Access Key > Active > Status
- AWS > IAM > Access Key > CMDB
- AWS > IAM > Access Key > Configured
- AWS > IAM > Access Key > Configured > Claim Precedence
- AWS > IAM > Access Key > Configured > Source
- AWS > IAM > Access Key > Usage
- AWS > IAM > Access Key > Usage > Limit
- AWS > IAM > Account Password Policy > CMDB
- AWS > IAM > Account Password Policy > Configured
- AWS > IAM > Account Password Policy > Configured > Claim Precedence
- AWS > IAM > Account Password Policy > Configured > Source
- AWS > IAM > Account Password Policy > Settings
- AWS > IAM > Account Password Policy > Settings > Allow Users to Change
- AWS > IAM > Account Password Policy > Settings > Hard Expiry
- AWS > IAM > Account Password Policy > Settings > Max Age
- AWS > IAM > Account Password Policy > Settings > Minimum Length
- AWS > IAM > Account Password Policy > Settings > Require Lowercase Characters
- AWS > IAM > Account Password Policy > Settings > Require Numbers
- AWS > IAM > Account Password Policy > Settings > Require Symbols
- AWS > IAM > Account Password Policy > Settings > Require Uppercase Characters
- AWS > IAM > Account Password Policy > Settings > Reuse Prevention
- AWS > IAM > Account Summary > CMDB
- AWS > IAM > Credential Report > CMDB
- AWS > IAM > Enabled
- AWS > IAM > Group > Active
- AWS > IAM > Group > Active > Age
- AWS > IAM > Group > Active > Budget
- AWS > IAM > Group > Active > Last Modified
- AWS > IAM > Group > Approved
- AWS > IAM > Group > Approved > Budget
- AWS > IAM > Group > Approved > Custom
- AWS > IAM > Group > Approved > Turbot
- AWS > IAM > Group > Approved > Usage
- AWS > IAM > Group > CMDB
- AWS > IAM > Group > Configured
- AWS > IAM > Group > Configured > Claim Precedence
- AWS > IAM > Group > Configured > Source
- AWS > IAM > Group > Group Policy Attachments > Active
- AWS > IAM > Group > Group Policy Attachments > Active > Last Modified
- AWS > IAM > Group > Group Policy Attachments > CMDB
- AWS > IAM > Group > Group Policy Attachments > Configured
- AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence
- AWS > IAM > Group > Group Policy Attachments > Configured > Source
- AWS > IAM > Group > Inline Policy > Approved
- AWS > IAM > Group > Inline Policy > Approved > Custom
- AWS > IAM > Group > Inline Policy > Approved > Usage
- AWS > IAM > Group > Inline Policy > CMDB
- AWS > IAM > Group > Inline Policy > Statements
- AWS > IAM > Group > Inline Policy > Statements > Approved
- AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access
- AWS > IAM > Group > Inline Policy > Statements > Approved > Compiled Rules
- AWS > IAM > Group > Inline Policy > Statements > Approved > Rules
- AWS > IAM > Group > Policy Attachments
- AWS > IAM > Group > Policy Attachments > Approved
- AWS > IAM > Group > Policy Attachments > Approved > Compiled Rules
- AWS > IAM > Group > Policy Attachments > Approved > Rules
- AWS > IAM > Group > Policy Attachments > Required
- AWS > IAM > Group > Policy Attachments > Required > Compiled Items
- AWS > IAM > Group > Policy Attachments > Required > Items
- AWS > IAM > Group > Usage
- AWS > IAM > Group > Usage > Limit
- AWS > IAM > Instance Profile > CMDB
- AWS > IAM > Instance Profile > Configured
- AWS > IAM > Instance Profile > Configured > Claim Precedence
- AWS > IAM > Instance Profile > Configured > Source
- AWS > IAM > Login User Names
- AWS > IAM > MFA Virtual > Active
- AWS > IAM > MFA Virtual > Active > Last Modified
- AWS > IAM > MFA Virtual > CMDB
- AWS > IAM > OpenID Connect > Active
- AWS > IAM > OpenID Connect > Active > Age
- AWS > IAM > OpenID Connect > Active > Last Modified
- AWS > IAM > OpenID Connect > Approved
- AWS > IAM > OpenID Connect > Approved > Custom
- AWS > IAM > OpenID Connect > Approved > Usage
- AWS > IAM > OpenID Connect > CMDB
- AWS > IAM > OpenID Connect > Configured
- AWS > IAM > OpenID Connect > Configured > Claim Precedence
- AWS > IAM > OpenID Connect > Configured > Source
- AWS > IAM > OpenID Connect > Tags
- AWS > IAM > OpenID Connect > Tags > Template
- AWS > IAM > OpenID Connect > Usage
- AWS > IAM > OpenID Connect > Usage > Limit
- AWS > IAM > Permissions
- AWS > IAM > Permissions > Levels
- AWS > IAM > Permissions > Levels > Modifiers
- AWS > IAM > Permissions > Levels > Service User Access Key Administration
- AWS > IAM > Permissions > Levels > Service User Administration
- AWS > IAM > Permissions > Levels > Service User Password Administration
- AWS > IAM > Permissions > Lockdown
- AWS > IAM > Permissions > Lockdown > API Boundary
- AWS > IAM > Policy > Active
- AWS > IAM > Policy > Active > Age
- AWS > IAM > Policy > Active > Last Modified
- AWS > IAM > Policy > Approved
- AWS > IAM > Policy > Approved > Custom
- AWS > IAM > Policy > Approved > Turbot
- AWS > IAM > Policy > Approved > Usage
- AWS > IAM > Policy > CMDB
- AWS > IAM > Policy > Configured
- AWS > IAM > Policy > Configured > Claim Precedence
- AWS > IAM > Policy > Configured > Source
- AWS > IAM > Policy > Statements
- AWS > IAM > Policy > Statements > Approved
- AWS > IAM > Policy > Statements > Approved > Administrator Access
- AWS > IAM > Policy > Statements > Approved > Compiled Rules
- AWS > IAM > Policy > Statements > Approved > Rules
- AWS > IAM > Policy > Statements > Approved > Turbot
- AWS > IAM > Role > Active
- AWS > IAM > Role > Active > Age
- AWS > IAM > Role > Active > Last Modified
- AWS > IAM > Role > Active > Quarantine Policy Name
- AWS > IAM > Role > Active > Recently Used
- AWS > IAM > Role > Approved
- AWS > IAM > Role > Approved > Custom
- AWS > IAM > Role > Approved > Quarantine Policy Name
- AWS > IAM > Role > Approved > Turbot
- AWS > IAM > Role > Approved > Usage
- AWS > IAM > Role > Boundary
- AWS > IAM > Role > Boundary > Policy
- AWS > IAM > Role > CMDB
- AWS > IAM > Role > Configured
- AWS > IAM > Role > Configured > Claim Precedence
- AWS > IAM > Role > Configured > Source
- AWS > IAM > Role > Inline Policy > Approved
- AWS > IAM > Role > Inline Policy > Approved > Custom
- AWS > IAM > Role > Inline Policy > Approved > Usage
- AWS > IAM > Role > Inline Policy > CMDB
- AWS > IAM > Role > Inline Policy > Configured
- AWS > IAM > Role > Inline Policy > Configured > Claim Precedence
- AWS > IAM > Role > Inline Policy > Configured > Source
- AWS > IAM > Role > Inline Policy > Statements
- AWS > IAM > Role > Inline Policy > Statements > Approved
- AWS > IAM > Role > Inline Policy > Statements > Approved > Administrator Access
- AWS > IAM > Role > Inline Policy > Statements > Approved > Compiled Rules
- AWS > IAM > Role > Inline Policy > Statements > Approved > Rules
- AWS > IAM > Role > Policy
- AWS > IAM > Role > Policy > Trusted Access
- AWS > IAM > Role > Policy > Trusted Access > Accounts
- AWS > IAM > Role > Policy > Trusted Access > Identity Providers
- AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions
- AWS > IAM > Role > Policy > Trusted Access > Services
- AWS > IAM > Role > Policy Attachments
- AWS > IAM > Role > Policy Attachments > Approved
- AWS > IAM > Role > Policy Attachments > Approved > Compiled Rules
- AWS > IAM > Role > Policy Attachments > Approved > Rules
- AWS > IAM > Role > Policy Attachments > Required
- AWS > IAM > Role > Policy Attachments > Required > Compiled Items
- AWS > IAM > Role > Policy Attachments > Required > Items
- AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown
- AWS > IAM > Role > Role Policy Attachments > Active
- AWS > IAM > Role > Role Policy Attachments > Active > Last Modified
- AWS > IAM > Role > Role Policy Attachments > CMDB
- AWS > IAM > Role > Role Policy Attachments > Configured
- AWS > IAM > Role > Role Policy Attachments > Configured > Claim Precedence
- AWS > IAM > Role > Role Policy Attachments > Configured > Source
- AWS > IAM > Role > Tags
- AWS > IAM > Role > Tags > Template
- AWS > IAM > Role > Trust Relationship Statements
- AWS > IAM > Role > Trust Relationship Statements > Approved
- AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules
- AWS > IAM > Role > Trust Relationship Statements > Approved > Rules
- AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts [Deprecated]
- AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers [Deprecated]
- AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services [Deprecated]
- AWS > IAM > Role > Usage
- AWS > IAM > Role > Usage > Limit
- AWS > IAM > Root > Approved
- AWS > IAM > Root > Approved > Custom
- AWS > IAM > Root > Approved > Usage
- AWS > IAM > Root > CMDB
- AWS > IAM > Root > Configured
- AWS > IAM > Root > Configured > Claim Precedence
- AWS > IAM > Root > Configured > Source
- AWS > IAM > Server Certificate > Active
- AWS > IAM > Server Certificate > Active > Age
- AWS > IAM > Server Certificate > Active > Last Modified
- AWS > IAM > Server Certificate > Approved
- AWS > IAM > Server Certificate > Approved > Custom
- AWS > IAM > Server Certificate > Approved > Usage
- AWS > IAM > Server Certificate > CMDB
- AWS > IAM > Server Certificate > Tags
- AWS > IAM > Server Certificate > Tags > Template
- AWS > IAM > Server Certificate > Usage
- AWS > IAM > Server Certificate > Usage > Limit
- AWS > IAM > Stack
- AWS > IAM > Stack > Secret Variables
- AWS > IAM > Stack > Source
- AWS > IAM > Stack > Terraform Version
- AWS > IAM > Stack > Variables
- AWS > IAM > Tags Template [Default]
- AWS > IAM > Trusted Accounts [Default]
- AWS > IAM > Trusted Identity Providers [Default]
- AWS > IAM > Trusted Organizations [Default]
- AWS > IAM > Trusted Services [Default]
- AWS > IAM > User > Active
- AWS > IAM > User > Active > Age
- AWS > IAM > User > Active > Last Modified
- AWS > IAM > User > Active > Recently Used
- AWS > IAM > User > Approved
- AWS > IAM > User > Approved > Custom
- AWS > IAM > User > Approved > Turbot
- AWS > IAM > User > Approved > Usage
- AWS > IAM > User > Boundary
- AWS > IAM > User > Boundary > Policy
- AWS > IAM > User > CMDB
- AWS > IAM > User > Configured
- AWS > IAM > User > Configured > Claim Precedence
- AWS > IAM > User > Configured > Source
- AWS > IAM > User > Group Memberships > CMDB
- AWS > IAM > User > Group Memberships > Configured
- AWS > IAM > User > Group Memberships > Configured > Claim Precedence
- AWS > IAM > User > Group Memberships > Configured > Source
- AWS > IAM > User > Inline Policy > Approved
- AWS > IAM > User > Inline Policy > Approved > Custom
- AWS > IAM > User > Inline Policy > Approved > Usage
- AWS > IAM > User > Inline Policy > CMDB
- AWS > IAM > User > Inline Policy > Statements
- AWS > IAM > User > Inline Policy > Statements > Approved
- AWS > IAM > User > Inline Policy > Statements > Approved > Administrator Access
- AWS > IAM > User > Inline Policy > Statements > Approved > Compiled Rules
- AWS > IAM > User > Inline Policy > Statements > Approved > Rules
- AWS > IAM > User > Login Profile
- AWS > IAM > User > Policy Attachments
- AWS > IAM > User > Policy Attachments > Approved
- AWS > IAM > User > Policy Attachments > Approved > Compiled Rules
- AWS > IAM > User > Policy Attachments > Approved > Rules
- AWS > IAM > User > Policy Attachments > Required
- AWS > IAM > User > Policy Attachments > Required > Compiled Items
- AWS > IAM > User > Policy Attachments > Required > Items
- AWS > IAM > User > Policy Attachments > Required > Turbot Lockdown
- AWS > IAM > User > Tags
- AWS > IAM > User > Tags > Template
- AWS > IAM > User > Turbot Access Key
- AWS > IAM > User > Turbot Access Key > Rotation
- AWS > IAM > User > Turbot Secret Access Key
- AWS > IAM > User > Usage
- AWS > IAM > User > Usage > Limit
- AWS > IAM > User > User Policy Attachments > Active
- AWS > IAM > User > User Policy Attachments > Active > Last Modified
- AWS > IAM > User > User Policy Attachments > CMDB
- AWS > IAM > User > User Policy Attachments > Configured
- AWS > IAM > User > User Policy Attachments > Configured > Claim Precedence
- AWS > IAM > User > User Policy Attachments > Configured > Source
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-iam
- AWS > Turbot > IAM
- AWS > Turbot > IAM > Managed
- AWS > Turbot > Permissions
- AWS > Turbot > Permissions > Compiled
- AWS > Turbot > Permissions > Compiled > API Boundary
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-iam
- AWS > Turbot > Permissions > Compiled > Account Permissions
- AWS > Turbot > Permissions > Compiled > Allow Statements
- AWS > Turbot > Permissions > Compiled > Levels
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-iam
- AWS > Turbot > Permissions > Compiled > Lockdown Statements
- AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-iam
- AWS > Turbot > Permissions > Compiled > Service Permissions
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-iam
- AWS > Turbot > Permissions > Custom Group Levels [Account]
- AWS > Turbot > Permissions > Custom Role Levels [Account]
- AWS > Turbot > Permissions > Custom Role Levels [Folder]
- AWS > Turbot > Permissions > Group
- AWS > Turbot > Permissions > Group > Name Path
- AWS > Turbot > Permissions > Group > Name Prefix
- AWS > Turbot > Permissions > Levels
- AWS > Turbot > Permissions > Levels > Modifiers
- AWS > Turbot > Permissions > Levels [Default]
- AWS > Turbot > Permissions > Lockdown
- AWS > Turbot > Permissions > Lockdown > API Boundary
- AWS > Turbot > Permissions > Lockdown > Region Boundary
- AWS > Turbot > Permissions > Lockdown > Regions
- AWS > Turbot > Permissions > Name Path [Default]
- AWS > Turbot > Permissions > Name Prefix [Default]
- AWS > Turbot > Permissions > Policy
- AWS > Turbot > Permissions > Policy > Name Path
- AWS > Turbot > Permissions > Policy > Name Prefix
- AWS > Turbot > Permissions > Role
- AWS > Turbot > Permissions > Role > Name Path
- AWS > Turbot > Permissions > Role > Name Prefix
- AWS > Turbot > Permissions > Role > Session Timeout
- AWS > Turbot > Permissions > Role > Tags
- AWS > Turbot > Permissions > Source
- AWS > Turbot > Permissions > Superuser Boundary
- AWS > Turbot > Permissions > Tags Default
- AWS > Turbot > Permissions > Terraform Version
- AWS > Turbot > Permissions > User
- AWS > Turbot > Permissions > User > Access Keys Enabled
- AWS > Turbot > Permissions > User > Group Membership Mode
- AWS > Turbot > Permissions > User > Name Path
- AWS > Turbot > Permissions > User > Session Timeout
- AWS > Turbot > Permissions > User > Tags
- AWS > Turbot > Permissions > User Boundary
- Turbot > IAM > Permissions > Compiled > Levels > AWS
- Turbot > IAM > Permissions > Compiled > Levels > AWS [Turbot]
AWS > Account > Permissions
tmod:@turbot/aws-iam#/policy/types/accountPermissions
AWS > Account > Permissions > Lockdown
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdown
AWS > Account > Permissions > Lockdown > Budget
Configure lockdown policies to restrict APIs based on the
budget state (when the current spend exceeds a defined threshold).
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdownBudget
[ "Skip", "Restrict APIs per `Lockdown > Budget > Restricted APIs`"]
{ "type": "string", "enum": [ "Skip", "Restrict APIs per `Lockdown > Budget > Restricted APIs`" ], "default": "Skip"}
AWS > Account > Permissions > Lockdown > Budget > Restricted APIs
A yaml object that contains a list of APIs that should
be restricted when the budget reaches a specific state.
For example, to restrict users from running and starting
new ec2 instances, starting RDS databases, or creating
Redshift clusters when the budget state is Critical or
higher, enter:<br />Critical:<br /> - ec2:RunInstance<br /> - ec2:StartInstance<br /> - rds:StartDB*<br /> - redshift:createcluster<br />
tmod:@turbot/aws-iam#/policy/types/accountPermissionsLockdownBudgetRestrictedApis
AWS > IAM > API Enabled
Configure whether the AWS S3 API is enabled.
Note: Disabling the service disables the API for ALL users
and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-iam#/policy/types/iamApiEnabled
[ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled" ], "default": "Enabled"}
AWS > IAM > Access Analyzer > Active
Determine the action to take when an AWS IAM access analyzer, based on the AWS > IAM > Access Analyzer > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Analyzer > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Active > Age
The age after which the AWS IAM access analyzer
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Analyzer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Active > Last Modified
The number of days since the AWS IAM access analyzer
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Analyzer > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Approved
Determine the action to take when an AWS IAM access analyzer is not approved based on AWS > IAM > Access Analyzer > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Approved > Custom
Determine whether the AWS IAM access analyzer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Access Analyzer > Approved > Regions
A list of AWS regions in which AWS IAM access analyzers are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS IAM access analyzer is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/accessAnalyzerRegions\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > IAM > Access Analyzer > Approved > Usage
Determine whether the AWS IAM access analyzer is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM access analyzer is not approved, it will be subject to the action specified in the AWS > IAM > Access Analyzer > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Access Analyzer > CMDB
Configure whether to record and synchronize details for the AWS IAM access analyzer into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > IAM > Access Analyzer > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Access Analyzer > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Access Analyzer > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Access Analyzer > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Access Analyzer > Regions
A list of AWS regions in which AWS IAM access analyzers are supported for use.
Any access analyzers in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerRegions
{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}
AWS > IAM > Access Analyzer > Tags
Determine the action to take when an AWS IAM access analyzer tags are not updated based on the AWS > IAM > Access Analyzer > Tags > *
policies.
The control ensure AWS IAM access analyzer tags include tags defined in AWS > IAM > Access Analyzer > Tags > Template
.
Tags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > IAM > Access Analyzer > Tags > Template
The template is used to generate the keys and values for AWS IAM access analyzer.
Tags not defined in Access Analyzer Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/accessAnalyzerTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > Access Key > Active
Determine the action to take when an AWS IAM access key, based on the AWS > IAM > Access Key > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Key > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/accessKeyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning", "Enforce: Deactivate inactive with 1 day warning", "Enforce: Deactivate inactive with 3 days warning", "Enforce: Deactivate inactive with 7 days warning", "Enforce: Deactivate inactive with 14 days warning", "Enforce: Deactivate inactive with 30 days warning", "Enforce: Deactivate inactive with 60 days warning", "Enforce: Deactivate inactive with 90 days warning", "Enforce: Deactivate inactive with 180 days warning", "Enforce: Deactivate inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning", "Enforce: Deactivate inactive with 1 day warning", "Enforce: Deactivate inactive with 3 days warning", "Enforce: Deactivate inactive with 7 days warning", "Enforce: Deactivate inactive with 14 days warning", "Enforce: Deactivate inactive with 30 days warning", "Enforce: Deactivate inactive with 60 days warning", "Enforce: Deactivate inactive with 90 days warning", "Enforce: Deactivate inactive with 180 days warning", "Enforce: Deactivate inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Age
The age after which the AWS IAM access key
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Key > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Last Modified
The number of days since the AWS IAM access key
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Key > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Recently Used
The number of days since the AWS IAM access key was last used before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Key > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveRecentlyUsed
[ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days" ], "example": [ "Active if recently used <= 90 days" ], "default": "Skip"}
AWS > IAM > Access Key > Active > Status
The policy allows you to
check which status determines if the AWS IAM access key is active.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Access Key > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
The policy values for AWS IAM access key are deprecated and replaced by new values.
The deprecated values will be removed in next major version.
| Deprecated Values | Current Values |
|-------------------------------------|----------------------------------------|
| Active if status is active | Active if $.Status is active |
| Force active if status is active | Force active if $.Status is active |
tmod:@turbot/aws-iam#/policy/types/accessKeyActiveStatus
[ "Skip", "Active if status is active", "Force active if status is active", "Active if $.Status is active", "Force active if $.Status is active"]
{ "type": "string", "enum": [ "Skip", "Active if status is active", "Force active if status is active", "Active if $.Status is active", "Force active if $.Status is active" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Access Key > CMDB
Configure whether to record and synchronize details for the AWS IAM access key into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/accessKeyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Access Key > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/accessKeyConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Access Key > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/accessKeyConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Access Key > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/accessKeyConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Access Key > Usage
Configure the number of AWS IAM access keys that can be used for this user and the current consumption against the limit.
You can configure the behavior of the control with this AWS > IAM > Access Key > Usage
policy.
tmod:@turbot/aws-iam#/policy/types/accessKeyUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > Access Key > Usage > Limit
Maximum number of items that can be created for this user.
tmod:@turbot/aws-iam#/policy/types/accessKeyUsageLimit
{ "type": "integer", "minimum": 0, "default": 2}
AWS > IAM > Account Password Policy > CMDB
Configure whether to record and synchronize details for the AWS IAM account password policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Account Password Policy > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Account Password Policy > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Account Password Policy > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicyConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Account Password Policy > Settings
Check if the IAM account password policy is in sync with the account password settings policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettings
[ "Skip", "Check: Configured", "Enforce: Configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Enforce: Configured" ], "example": [ "Check: Configured" ], "default": "Skip"}
AWS > IAM > Account Password Policy > Settings > Allow Users to Change
You can permit all IAM users in your account to use the IAM console to change their own passwords, as described in Permitting IAM users to change their own passwords.
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsAllowUsersToChange
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Hard Expiry
You can prevent IAM users from choosing a new password after their current password has expired. For example, a password policy can specify a password expiration period. If an IAM user fails to choose a new password before the expiration period ends, the IAM user cannot set a new password. In that case, the IAM user must request a password reset from an account administrator in order to regain access to the AWS Management Console. You can also leave this check box cleared. If an IAM user allows his or her password to expire, the user in this scenario is required to set a new password before accessing the AWS Management Console.
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsHardExpiry
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Max Age
You can set IAM user passwords to be valid for only the specified number of days. You specify the number of days that passwords remain valid after they are set. For example, when you enable password expiration and set the password expiration period to 90 days, an IAM user can use a password for up to 90 days. After 90 days, the password expires and the IAM user must set a new password before accessing the AWS Management Console. You can choose a password expiration period between 1 and 1095 days, inclusive.
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMaxAge
{ "type": "integer", "minimum": 1, "maximum": 1095, "example": 90, "default": 90}
AWS > IAM > Account Password Policy > Settings > Minimum Length
You can specify the minimum number of characters allowed in an IAM user password. You can type any number from 6 to 128.
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMinimumLength
{ "type": "integer", "minimum": 6, "maximum": 128, "example": 14, "default": 14}
AWS > IAM > Account Password Policy > Settings > Require Lowercase Characters
You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireLowercaseCharacters
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Require Numbers
You can require that IAM user passwords contain at least one numeric character (0 to 9).
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireNumbers
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Require Symbols
You can require that IAM user passwords contain at least one of the following nonalphanumeric characters:! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireSymbols
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Require Uppercase Characters
You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireUppercaseCharacters
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": "Enabled", "default": "Enabled"}
AWS > IAM > Account Password Policy > Settings > Reuse Prevention
You can prevent IAM users from reusing a specified number of previous passwords. You can set the number of previous passwords from 1 to 24, inclusive.
Refer to Setting an account password policy for IAM users for more information on account password policies.
tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsReusePrevention
{ "type": "integer", "minimum": 1, "maximum": 24, "example": 5, "default": 5}
AWS > IAM > Account Summary > CMDB
Configure whether to record and synchronize details for the AWS IAM account summary into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/accountSummaryCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Credential Report > CMDB
Configure whether to record and synchronize details for the AWS IAM credential report into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/credentialReportCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Enabled
Enabled IAM.
tmod:@turbot/aws-iam#/policy/types/iamEnabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
AWS > IAM > Group > Active
Determine the action to take when an AWS IAM group, based on the AWS > IAM > Group > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Group > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/groupActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Group > Active > Age
The age after which the AWS IAM group
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/groupActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Group > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
groups to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/groupActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Group > Active > Last Modified
The number of days since the AWS IAM group
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/groupActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Group > Approved
Determine the action to take when an AWS IAM group is not approved based on AWS > IAM > Group > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/groupApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Group > Approved > Budget
The policy allows you to set groups to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS IAM group is not matched by the approved list, it will be subject to the action specified in the AWS > IAM > Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/groupApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > IAM > Group > Approved > Custom
Determine whether the AWS IAM group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/groupApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Group > Approved > Turbot
Determine whether IAM Policies that are defined and configured by Guardrails (for example, from the Permissions stack or the Service Roles stack) will always be approved.
tmod:@turbot/aws-iam#/policy/types/groupApprovedTurbot
[ "Skip", "Force Approved for Turbot Group"]
{ "type": "string", "enum": [ "Skip", "Force Approved for Turbot Group" ], "default": "Force Approved for Turbot Group"}
AWS > IAM > Group > Approved > Usage
Determine whether the AWS IAM group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM group is not approved, it will be subject to the action specified in the AWS > IAM > Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/groupApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Group > CMDB
Configure whether to record and synchronize details for the AWS IAM group into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/groupCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Group > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/groupConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Group > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/groupConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Group > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/groupConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Group > Group Policy Attachments > Active
Check if the AWS IAM Grouppolicyattachment is active based on AWS > IAM > Grouppolicyattachment > Active > * policies.
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Group > Group Policy Attachments > Active > Last Modified
Check if AWS groupPolicyAttachment is active based on when it was last modified.
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Group > Group Policy Attachments > CMDB
Configure whether to record and synchronize details for the AWS IAM group policy attachments into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Group > Group Policy Attachments > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Group > Group Policy Attachments > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Group > Group Policy Attachments > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Group > Inline Policy > Approved
Determine the action to take when an AWS IAM group inline policy is not approved based on AWS > IAM > Group > Inline Policy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Group > Inline Policy > Approved > Custom
Determine whether the AWS IAM group inline policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Group > Inline Policy > Approved > Usage
Determine whether the AWS IAM group inline policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM group inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Group > Inline Policy > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Group > Inline Policy > CMDB
Configure whether to record and synchronize details for the AWS IAM group inline policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Group > Inline Policy > Statements
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatements
AWS > IAM > Group > Inline Policy > Statements > Approved
Configure IAM Policy Statements checking. This policy defines whether to verify the
policy statements are approved, as well as the subsequent action to take on unapproved
statements.
Rules for all Approved policies will be compiled in Approved > Compiled Rules
and then evaluated. If set to "Enforce: Delete unapproved", any unapproved statements
will be removed from the policy.
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApproved
[ "Skip", "Check: Approved", "Enforce: Delete Unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete Unapproved" ], "default": "Skip"}
AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access
If set to "Disabled", IAM Policy statements that allow any action ('') on any resource ('') will be unapproved.
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedAdminAccess
[ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies"]
{ "type": "string", "enum": [ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies" ], "default": "Enabled: Allow Administrator Access ('*:*') policies"}
AWS > IAM > Group > Inline Policy > Statements > Approved > Compiled Rules
A read-only Object Control List (OCL) to approved or reject policy statements for an IAM policy. This policy is generated by Guardrails based on the "Approved > *" policies.
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > Group > Inline Policy > Statements > Approved > Rules
An Object Control List (OCL) with a list of filter rules to approve or reject IAM policy statements. Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.
This is the last statement, so all unmatched items will be (approved/rejected) by this statement.
Note: Removing APPROVE * will reject all the unmatched rules.
tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedRules
{ "type": "string", "default": "# Approve(APPROVE *) / Reject(REJECT *) unmatched rules.\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Group > Policy Attachments
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttached
AWS > IAM > Group > Policy Attachments > Approved
Configure AWS IAM group policy attachments Approved
checking. This policy
defines whether to verify the IAM group attached policies are approved
(per Approved > Compiled Rules
), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Group > Policy Attachments > Approved > Compiled Rules
A read-only Object Control List (OCL) to add or
remove IAM Policy from a IAM group.
This policy is generated by Turbot.
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > Group > Policy Attachments > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject policies.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled rules.
tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApprovedRules
{ "type": "string", "default": "# Approve rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Group > Policy Attachments > Required
Configure whether required policies should be attached to a group.
If set to Enforce, policies in Required > Items will be attached to the group.
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequired
[ "Skip", "Check: Required > Items", "Enforce: Required > Items"]
{ "type": "string", "enum": [ "Skip", "Check: Required > Items", "Enforce: Required > Items" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Group > Policy Attachments > Required > Compiled Items
A list of IAM policies that must be attached to a group.
This is a read-only policy that is generated by Turbot
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequiredCompiledItems
{ "type": "array"}
AWS > IAM > Group > Policy Attachments > Required > Items
A list of IAM policies that must be attached to a group.
tmod:@turbot/aws-iam#/policy/types/groupPolicyRequiredItems
{ "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 128, "pattern": "^[A-Za-z0-9_+=,.@-]+$" }, "default": []}
AWS > IAM > Group > Usage
Configure the number of AWS IAM groups that can be used for this account and the current consumption against the limit.
You can configure the behavior of the control with this AWS > IAM > Group > Usage
policy.
tmod:@turbot/aws-iam#/policy/types/groupUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > Group > Usage > Limit
Maximum number of items that can be created for this account.
tmod:@turbot/aws-iam#/policy/types/groupUsageLimit
{ "type": "integer", "minimum": 0, "default": 300}
AWS > IAM > Instance Profile > CMDB
Configure whether to record and synchronize details for the AWS IAM instance profile into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/instanceProfileCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Instance Profile > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Instance Profile > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Instance Profile > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/instanceProfileConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Login User Names
AWS IAM user login names
tmod:@turbot/aws-iam#/policy/types/loginUserNames
"{\n profile{\n profileId\n }\n}\n"
"{% if $.profile.profileId %}- '{{ $.profile.profileId }}'{% else %} [] {% endif %}"
{ "type": "array"}
AWS > IAM > MFA Virtual > Active
Check if the AWS IAM Mfavirtual is active based on AWS > IAM > Mfavirtual > Active > * policies.
tmod:@turbot/aws-iam#/policy/types/mfaVirtualActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > MFA Virtual > Active > Last Modified
Check if AWS mfaVirtual is active based on when it was last modified.
tmod:@turbot/aws-iam#/policy/types/mfaVirtualActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > MFA Virtual > CMDB
Configure whether to record and synchronize details for the AWS IAM Multi Factor Authentication(MFA) Virtual into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/mfaVirtualCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > OpenID Connect > Active
Determine the action to take when an AWS IAM openid connect, based on the AWS > IAM > OpenID Connect > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > OpenID Connect > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/openIdConnectActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Active > Age
The age after which the AWS IAM openid connect
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > OpenID Connect > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/openIdConnectActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Active > Last Modified
The number of days since the AWS IAM openid connect
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > OpenID Connect > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/openIdConnectActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Approved
Determine the action to take when an AWS IAM openid connect is not approved based on AWS > IAM > OpenID Connect > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/openIdConnectApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Approved > Custom
Determine whether the AWS IAM openid connect is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/openIdConnectApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > OpenID Connect > Approved > Usage
Determine whether the AWS IAM openid connect is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM openid connect is not approved, it will be subject to the action specified in the AWS > IAM > OpenID Connect > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/openIdConnectApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > OpenID Connect > CMDB
Configure whether to record and synchronize details for the AWS IAM openid connect into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/openIdConnectCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > OpenID Connect > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > OpenID Connect > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > OpenID Connect > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-iam#/policy/types/openIdConnectConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > OpenID Connect > Tags
Determine the action to take when an AWS IAM openid connect tags are not updated based on the AWS > IAM > OpenID Connect > Tags > *
policies.
The control ensure AWS IAM openid connect tags include tags defined in AWS > IAM > OpenID Connect > Tags > Template
.
Tags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/openIdConnectTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Tags > Template
The template is used to generate the keys and values for AWS IAM openid connect.
Tags not defined in OpenID Connect Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/openIdConnectTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > OpenID Connect > Usage
Configure the number of AWS IAM openid connects that can be used for this account and the current consumption against the limit.
You can configure the behavior of the control with this AWS > IAM > OpenID Connect > Usage
policy.
tmod:@turbot/aws-iam#/policy/types/openIdConnectUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > OpenID Connect > Usage > Limit
Maximum number of items that can be created for this account.
tmod:@turbot/aws-iam#/policy/types/openIdConnectUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
AWS > IAM > Permissions
Configure whether permissions policies are in effect for AWS IAM. This setting does
not affect account level permissions (AWS/Admin, AWS/Owner, etc).
Note: The behavior of this policy depends on the value of AWS > Permissions
.
tmod:@turbot/aws-iam#/policy/types/iamPermissions
[ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled" ], "example": [ "Enabled" ], "default": "Enabled if AWS > IAM > Enabled & AWS > IAM > API Enabled"}
AWS > IAM > Permissions > Levels
Define the permissions levels that can be used to grant access to an AWS account.
Permissions levels defined will appear in the UI to assign access to Guardrails users.
This policy provides a default for Permissions > Levels
in each service,
however you can explicitly override the setting for each service if desired
tmod:@turbot/aws-iam#/policy/types/iamPermissionsLevels
[ "{\n item: account {\n turbot {\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
AWS > IAM > Permissions > Levels > Modifiers
A map of AWS API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of AWS API operations to Guardrails permissions levels here.
Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also
added to ReadOnly, Operator and Admin. Modifier policies set here apply ONLY to the AWS level"<br />example:<br /> - "glacier:createvault": admin<br /> - "glacier:ListVaults": metadata<br /> - "s3:DeleteBucket": none<br />
tmod:@turbot/aws-iam#/policy/types/iamPermissionsLevelsModifiers
AWS > IAM > Permissions > Levels > Service User Access Key Administration
Determines which Guardrails permissions level can manage Service User Access Key Administration.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsLevelsServiceUserAccessKeyAdministration
[ "None", "Owner"]
{ "type": "string", "enum": [ "None", "Owner" ], "example": [ "None" ], "default": "None"}
AWS > IAM > Permissions > Levels > Service User Administration
Determines which Guardrails permissions level can manage Service User Administration.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsLevelsServiceUserAdministration
[ "None", "Owner"]
{ "type": "string", "enum": [ "None", "Owner" ], "example": [ "None" ], "default": "None"}
AWS > IAM > Permissions > Levels > Service User Password Administration
Determines which Guardrails permissions level can manage Service User Password Administration.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsLevelsServiceUserPasswordAdministration
[ "None", "Owner"]
{ "type": "string", "enum": [ "None", "Owner" ], "example": [ "None" ], "default": "None"}
AWS > IAM > Permissions > Lockdown
tmod:@turbot/aws-iam#/policy/types/iamPermissionsLockdown
AWS > IAM > Permissions > Lockdown > API Boundary
Configure whether the AWS IAM API is enabled for all
users and roles in turbot-managed boundary policies.
Note: Disabling the service disables the API for ALL users
and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsLockdownApiBoundary
[ "Enabled if AWS > IAM > API Enabled"]
{ "type": "string", "enum": [ "Enabled if AWS > IAM > API Enabled" ], "example": [ "Enabled if AWS > IAM > API Enabled" ], "default": "Enabled if AWS > IAM > API Enabled"}
AWS > IAM > Policy > Active
Determine the action to take when an AWS IAM policy, based on the AWS > IAM > Policy > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Policy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/iamPolicyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Policy > Active > Age
The age after which the AWS IAM policy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Policy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/iamPolicyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Policy > Active > Last Modified
The number of days since the AWS IAM policy
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Policy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/iamPolicyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Policy > Approved
Determine the action to take when an AWS IAM policy is not approved based on AWS > IAM > Policy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/iamPolicyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Policy > Approved > Custom
Determine whether the AWS IAM policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM policy is not approved, it will be subject to the action specified in the AWS > IAM > Policy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/iamPolicyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Policy > Approved > Turbot
Determine whether IAM Policies that are defined and configured by Guardrails (for example, from the Permissions stack or the Service Roles stack) will always be approved.
tmod:@turbot/aws-iam#/policy/types/iamPolicyApprovedTurbot
[ "Skip", "Force Approved for Turbot Policies"]
{ "type": "string", "enum": [ "Skip", "Force Approved for Turbot Policies" ], "default": "Force Approved for Turbot Policies"}
AWS > IAM > Policy > Approved > Usage
Determine whether the AWS IAM policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM policy is not approved, it will be subject to the action specified in the AWS > IAM > Policy > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/iamPolicyApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Policy > CMDB
Configure whether to record and synchronize details for the AWS IAM policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/iamPolicyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Policy > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/iamPolicyConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Policy > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/iamPolicyConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Policy > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/iamPolicyConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Policy > Statements
AWS > IAM > Policy > Statements > Approved
Configure IAM Policy Statements checking. This policy defines whether to verify the
policy statements are approved, as well as the subsequent action to take on unapproved
statements.
Rules for all Approved policies will be compiled in Approved > Compiled Rules
and then evaluated. If set to "Enforce: Delete unapproved", any unapproved statements
will be removed from the policy.
tmod:@turbot/aws-iam#/policy/types/statementsApproved
[ "Skip", "Check: Approved", "Enforce: Delete Unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete Unapproved" ], "default": "Skip"}
AWS > IAM > Policy > Statements > Approved > Administrator Access
If set to "Disabled", IAM Policy statements that allow any action ('') on any resource ('') will be unapproved.
tmod:@turbot/aws-iam#/policy/types/statementsApprovedAdminAccess
[ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies"]
{ "type": "string", "enum": [ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies" ], "default": "Enabled: Allow Administrator Access ('*:*') policies"}
AWS > IAM > Policy > Statements > Approved > Compiled Rules
A read-only Object Control List (OCL) to approved or reject policy statements for an IAM policy. This policy is generated by Turbot based on the "Approved > *" policies.
tmod:@turbot/aws-iam#/policy/types/statementsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > Policy > Statements > Approved > Rules
An Object Control List (OCL) with a list of filter rules to approve or reject IAM policy statements. Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.
This is the last statement, so all unmatched items will be (approved/rejected) by this statement.
Note: Removing APPROVE * will reject all the unmatched rules.
tmod:@turbot/aws-iam#/policy/types/statementsApprovedRules
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Policy > Statements > Approved > Turbot
If Enabled, All IAM Policy statements for policies that are defined and configured by Guardrails (for example, from the permissions stack of the Service Roles stack) will be approved.
tmod:@turbot/aws-iam#/policy/types/statementsApprovedTurbot
[ "Skip", "Force Approved for Turbot Policies"]
{ "type": "string", "enum": [ "Skip", "Force Approved for Turbot Policies" ], "default": "Force Approved for Turbot Policies"}
AWS > IAM > Role > Active
Determine the action to take when an AWS IAM role, based on the AWS > IAM > Role > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Role > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/roleActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning", "Enforce: Quarantine inactive with 1 day warning", "Enforce: Quarantine inactive with 3 days warning", "Enforce: Quarantine inactive with 7 days warning", "Enforce: Quarantine inactive with 14 days warning", "Enforce: Quarantine inactive with 30 days warning", "Enforce: Quarantine inactive with 60 days warning", "Enforce: Quarantine inactive with 90 days warning", "Enforce: Quarantine inactive with 180 days warning", "Enforce: Quarantine inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning", "Enforce: Quarantine inactive with 1 day warning", "Enforce: Quarantine inactive with 3 days warning", "Enforce: Quarantine inactive with 7 days warning", "Enforce: Quarantine inactive with 14 days warning", "Enforce: Quarantine inactive with 30 days warning", "Enforce: Quarantine inactive with 60 days warning", "Enforce: Quarantine inactive with 90 days warning", "Enforce: Quarantine inactive with 180 days warning", "Enforce: Quarantine inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Role > Active > Age
The age after which the AWS IAM role
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Role > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/roleActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Role > Active > Last Modified
The number of days since the AWS IAM role
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Role > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/roleActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Role > Active > Quarantine Policy Name
The quarantine policy name which will be used for the inline policy to be attached to the AWS > IAM > Role
.
Quarantine Inline Policy:<br />{<br /> "Version": "2012-10-17",<br /> "Statement": [<br /> {<br /> "Sid": "DenyAll",<br /> "Effect": "Deny",<br /> "Action": "*",<br /> "Resource": "*"<br /> }<br /> ]<br />}<br />
tmod:@turbot/aws-iam#/policy/types/roleActiveQuarantinePolicyName
{ "type": "string", "default": "quarantine_inline_policy"}
AWS > IAM > Role > Active > Recently Used
The number of days since the AWS IAM role was last used before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Role > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/roleActiveRecentlyUsed
[ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days" ], "example": [ "Active if recently used <= 90 days" ], "default": "Skip"}
AWS > IAM > Role > Approved
Determine the action to take when an AWS IAM role is not approved based on AWS > IAM > Role > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/roleApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new", "Enforce: Quarantine unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new", "Enforce: Quarantine unapproved" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Role > Approved > Custom
Determine whether the AWS IAM role is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM role is not approved, it will be subject to the action specified in the AWS > IAM > Role > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/roleApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Role > Approved > Quarantine Policy Name
The quarantine policy name which will be used for the inline policy to be attached to the AWS > IAM > Role
.
Quarantine Inline Policy:<br />{<br /> "Version": "2012-10-17",<br /> "Statement": [<br /> {<br /> "Sid": "DenyAll",<br /> "Effect": "Deny",<br /> "Action": "*",<br /> "Resource": "*"<br /> }<br /> ]<br />}<br />
tmod:@turbot/aws-iam#/policy/types/roleApprovedQuarantinePolicyName
{ "type": "string", "default": "quarantine_inline_policy"}
AWS > IAM > Role > Approved > Turbot
Determine whether IAM Policies that are defined and configured by Turbot (for example, from the Permissions stack or the Service Roles stack) will always be approved.
tmod:@turbot/aws-iam#/policy/types/roleApprovedTurbot
[ "Skip", "Force Approved for Turbot Role"]
{ "type": "string", "enum": [ "Skip", "Force Approved for Turbot Role" ], "default": "Force Approved for Turbot Role"}
AWS > IAM > Role > Approved > Usage
Determine whether the AWS IAM role is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM role is not approved, it will be subject to the action specified in the AWS > IAM > Role > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/roleApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Role > Boundary
Configure which boundary policy to apply to the IAM role .
This must be the name of an existing AWS IAM Boundary policy.
AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.
If set to Check or Enforce per AWS > Turbot > Permissions
,
the boundary will be enforced if Turbot > Permissions are enforced, checked
if Turbot > Permissions are checked, and skipped if Turbot Permissions
are none or skip
tmod:@turbot/aws-iam#/policy/types/roleBoundary
[ "Skip", "Check: No Boundary", "Check: Boundary > Policy", "Enforce: No Boundary", "Enforce: Boundary > Policy", "Check or Enforce per `AWS > Turbot > Permissions`"]
{ "type": "string", "enum": [ "Skip", "Check: No Boundary", "Check: Boundary > Policy", "Enforce: No Boundary", "Enforce: Boundary > Policy", "Check or Enforce per `AWS > Turbot > Permissions`" ], "default": "Skip"}
AWS > IAM > Role > Boundary > Policy
Configure which boundary policy to apply to the IAM role.
This must be the name of an existing AWS IAM Boundary policy.
AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.
tmod:@turbot/aws-iam#/policy/types/roleBoundaryPolicy
"{\n prefix: policy(uri:\"#/policy/types/turbotRoleNamePrefix\")\n}\n"
"{{$.prefix}}boundary"
AWS > IAM > Role > CMDB
Configure whether to record and synchronize details for the AWS IAM role into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/roleCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Role > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/roleConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Role > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/roleConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Role > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/roleConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Role > Inline Policy > Approved
Determine the action to take when an AWS IAM role inline policy is not approved based on AWS > IAM > Role > Inline Policy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Role > Inline Policy > Approved > Custom
Determine whether the AWS IAM role inline policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM role inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Role > Inline Policy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Role > Inline Policy > Approved > Usage
Determine whether the AWS IAM role inline policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM role inline policy is not approved, it will be subject to the action specified in the AWS > IAM > Role > Inline Policy > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Role > Inline Policy > CMDB
Configure whether to record and synchronize details for the AWS IAM role inline policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Role > Inline Policy > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Role > Inline Policy > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Role > Inline Policy > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Role > Inline Policy > Statements
tmod:@turbot/aws-iam#/policy/types/inlinePolicyStatements
AWS > IAM > Role > Inline Policy > Statements > Approved
Configure IAM Policy Statements checking. This policy defines whether to verify the
policy statements are approved, as well as the subsequent action to take on unapproved
statements.
Rules for all Approved policies will be compiled in Approved > Compiled Rules
and then evaluated. If set to "Enforce: Delete unapproved", any unapproved statements
will be removed from the policy.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyStatementsApproved
[ "Skip", "Check: Approved", "Enforce: Delete Unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete Unapproved" ], "default": "Skip"}
AWS > IAM > Role > Inline Policy > Statements > Approved > Administrator Access
If set to "Disabled", IAM Role Inline Policy statements that allow any action ('') on any resource ('') will be unapproved.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyStatementsApprovedAdminAccess
[ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies"]
{ "type": "string", "enum": [ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies" ], "default": "Enabled: Allow Administrator Access ('*:*') policies"}
AWS > IAM > Role > Inline Policy > Statements > Approved > Compiled Rules
A read-only Object Control List (OCL) to approved or reject inline policy statements for an IAM Role. This policy is generated by Guardrails based on the "Approved > *" policies.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyStatementsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > Role > Inline Policy > Statements > Approved > Rules
An Object Control List (OCL) with a list of filter rules to approve or reject IAM role inline policy statements. Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.
This is the last statement, so all unmatched items will be (approved/rejected) by this statement.
Note: Removing APPROVE * will reject all the unmatched rules.
tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyStatementsApprovedRules
{ "type": "string", "default": "# Approve(APPROVE *) / Reject(REJECT *) unmatched rules.\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Role > Policy
tmod:@turbot/aws-iam#/policy/types/rolePolicy
AWS > IAM > Role > Policy > Trusted Access
Take an action when AWS IAM role policy is not trusted based on theAWS > IAM > Role > Policy > Trusted Access > *
policies.
The Trusted Access control evaluates the role policy against the list of allowed
members in each of the Trusted Access sub-policies (Trusted Access > Accounts,
Trusted Access > Services etc.), this control raises an alarm and takes the
defined enforcement action.
The account that owns the role will always be trusted, even if its account ID is
not included in the Trusted Accounts policy.
If set to Enforce: Revoke untrusted access
, access to non-trusted
members will be removed.
tmod:@turbot/aws-iam#/policy/types/rolePolicyTrustedAccess
[ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access" ], "default": "Skip"}
AWS > IAM > Role > Policy > Trusted Access > Accounts
List of AWS Account IDs that are trusted for cross-account access in the
AWS IAM role policy.
Note that Trusted Access > Accounts
and Trusted Access ><br />Organizations
are evaluated independently. To have access, an AWS
principal must be allowed in Trusted Access > Accounts
AND be a
member of an Organization that is allowed in Trusted Access ><br />Organizations
.<br />example:<br /> - "123456789012"<br />
Note: Setting the policy to an Empty
array will remove all accounts.
tmod:@turbot/aws-iam#/policy/types/rolePolicyTrustedAccounts
"{\n accounts: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedAccounts\")\n}\n"
"{% if $.accounts | length == 0 %}[]{% endif %}{% for item in $.accounts %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\d{12}$|^\\*$)" }}
AWS > IAM > Role > Policy > Trusted Access > Identity Providers
List of Identity Providers that are trusted for cross-account access in the
AWS IAM role policy.<br />example:<br /> - www.google.com<br /> - www.facebook.com<br />
Note: Setting the policy to an Empty
array will remove all identity providers.
tmod:@turbot/aws-iam#/policy/types/rolePolicyTrustedIdentityProviders
"{\n identityProviders: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedIdentityProviders\")\n}\n"
"{% if $.identityProviders | length == 0 %}[]{% endif %}{% for item in $.identityProviders %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Role > Policy > Trusted Access > Organization Restrictions
List of AWS Organization IDs that are trusted for cross-account access in
the AWS IAM role policy, or '*' to skip the Organization Restriction.
Note that Trusted Access > Accounts
and Trusted Access ><br />Organizations
are evaluated independently. To have access, an AWS
principal must be allowed in Trusted Access > Accounts
AND be a
member of an Organization that is allowed in Trusted Access ><br />Organizations
.
Note: Trusted Access > Organization Restrictions
are ONLY
applied to AWS principals. Services and Federated principals do
NOT contain the aws:PrincipalOrgId
condition key, and thus
cannot be validated against the Organization.<br />example:<br /> - "o-333333333"<br /> - "o-c3a5y4wd52"<br />
tmod:@turbot/aws-iam#/policy/types/rolePolicyTrustedOrganizations
"{\n organizations: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedOrganizations\")\n}\n"
"{% if $.organizations | length == 0 %}[]{% endif %}{% for item in $.organizations %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)" }}
AWS > IAM > Role > Policy > Trusted Access > Services
List of AWS Services that are trusted for access in the AWS IAM role policy.<br />example:<br /> - sns.amazonaws.com<br /> - ec2.amazonaws.com<br />
Note: Setting the policy to an Empty
array will remove all services.
tmod:@turbot/aws-iam#/policy/types/rolePolicyTrustedServices
"{\n services: policy(uri: \"tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedServices\")\n}\n"
"{% if $.services | length == 0 %}[]{% endif %}{% for item in $.services %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)" }}
AWS > IAM > Role > Policy Attachments
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttached
AWS > IAM > Role > Policy Attachments > Approved
Configure AWS IAM role policy attachments Approved
checking. This policy
defines whether to verify the IAM role attached policies are approved
(per Approved > Compiled Rules
), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentsApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Role > Policy Attachments > Approved > Compiled Rules
A read-only Object Control List (OCL) to add or
remove IAM Policy from a IAM role.
This policy is generated by Turbot.
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > Role > Policy Attachments > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject policies.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled rules.
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentsApprovedRules
{ "type": "string", "default": "# Approve rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Role > Policy Attachments > Required
Configure whether required policies should be attached to a role.
If set to Enforce, policies in Required > Items will be attached to the role.
tmod:@turbot/aws-iam#/policy/types/rolePolicyRequired
[ "Skip", "Check: Required > Items", "Enforce: Required > Items"]
{ "type": "string", "enum": [ "Skip", "Check: Required > Items", "Enforce: Required > Items" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Role > Policy Attachments > Required > Compiled Items
A list of IAM policies that must be attached to a role.
This is a read-only policy that is generated by Turbot
tmod:@turbot/aws-iam#/policy/types/rolePolicyRequiredCompiledItems
{ "type": "array"}
AWS > IAM > Role > Policy Attachments > Required > Items
A list of IAM policies that must be attached to a role.
tmod:@turbot/aws-iam#/policy/types/rolePolicyRequiredItems
{ "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 128, "pattern": "^[A-Za-z0-9_+=,.@-]+$" }, "default": []}
AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown
Configure whether Role has Guardrails Lockdown Policies attached.
tmod:@turbot/aws-iam#/policy/types/rolePolicyRequiredLockdown
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": [ "Enabled" ]}
AWS > IAM > Role > Role Policy Attachments > Active
Check if the AWS IAM Rolepolicyattachment is active based on AWS > IAM > Rolepolicyattachment > Active > * policies.
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Role > Role Policy Attachments > Active > Last Modified
Check if AWS rolePolicyAttachment is active based on when it was last modified.
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Role > Role Policy Attachments > CMDB
Configure whether to record and synchronize details for the AWS IAM role policy attachments into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Role > Role Policy Attachments > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Role > Role Policy Attachments > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Role > Role Policy Attachments > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Role > Tags
Determine the action to take when an AWS IAM role tags are not updated based on the AWS > IAM > Role > Tags > *
policies.
The control ensure AWS IAM role tags include tags defined in AWS > IAM > Role > Tags > Template
.
Tags not defined in Role Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/roleTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > IAM > Role > Tags > Template
The template is used to generate the keys and values for AWS IAM role.
Tags not defined in Role Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/roleTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > Role > Trust Relationship Statements
tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatements
AWS > IAM > Role > Trust Relationship Statements > Approved
Configure IAM Role trust relationship policy statements checking. This policy defines whether
to verify the role trust relationship policy statements are approved, as well as the
subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved rules will be
revoked from the security group.
tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatementsApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > Role > Trust Relationship Statements > Approved > Compiled Rules
A read-only Object Control List (OCL) to approved or reject role trust policy statements.
This policy is generated by Turbot.
tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatementsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > Role > Trust Relationship Statements > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject role trust policy statements.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled
rules.
tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatementsApprovedRules
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Accounts [Deprecated]
Defines the AWS Accounts that can be allowed to assume the role.
Examples:
- "arn:aws:iam::560741234067:root"
- 492552618977
- 123456789012
Note: This policy has been deprecated in v5.8.0 and will be removed in v6.0.0. It has been replaced by the AWS > IAM > Role > Policy > Trusted Access > Accounts
policy.
tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatementsApprovedTrustedAwsAccounts
"{\n account {\n Id\n }\n}\n"
"- {{ $.account.Id }}"
{ "type": "array", "items": { "anyOf": [ { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:iam::[0-9]{1,12}:[A-Za-z0-9_+=,.@-]{1,64}$" }, { "type": "string", "pattern": "^cloudfront$" }, { "type": "integer" }, { "type": "string", "pattern": "^[0-9]{12}$", "tests": [ { "description": "valid int - 123456789012", "input": 123456789012 }, { "description": "valid string - 123456789012", "input": "123456789012" }, { "description": "valid - leading zeros", "input": "001234567890" }, { "description": "invalid - contains char", "input": "a123456789012", "expected": false }, { "description": "invalid - too short", "input": 12345678901, "expected": false }, { "description": "invalid - too long", "input": 1234567890123, "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/accountId", "modUri": "tmod:@turbot/aws" } } ] }}
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Identity Providers [Deprecated]
Defines the Identity Providers that can be allowed to assume the role.
Examples:
- www.amazon.com
- arn:aws:iam::013122550996:saml-provider/idp1
Note: This policy has been deprecated in v5.8.0 and will be removed in v6.0.0. It has been replaced by the AWS > IAM > Role > Policy > Trusted Access > Identity Providers
policy.
tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatementsApprovedTrustedIdentityProvider
{ "type": "array", "items": { "type": "string" }, "default": []}
AWS > IAM > Role > Trust Relationship Statements > Approved > Trusted Services [Deprecated]
Defines the AWS Services that can be allowed to assume the role.
Examples:
- cloudtrail.amazonaws.com
- cloudwatch.amazonaws.com
Note: This policy has been deprecated in v5.8.0 and will be removed in v6.0.0. It has been replaced by the AWS > IAM > Role > Policy > Trusted Access > Services
policy.
tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatementsApprovedTrustedAwsServices
{ "type": "array", "items": { "type": "string", "pattern": "(^\\S+\\.amazonaws\\.com$)" }, "default": []}
AWS > IAM > Role > Usage
Configure the number of AWS IAM roles that can be used for this account and the current consumption against the limit.
You can configure the behavior of the control with this AWS > IAM > Role > Usage
policy.
tmod:@turbot/aws-iam#/policy/types/roleUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > Role > Usage > Limit
Maximum number of items that can be created for this account.
tmod:@turbot/aws-iam#/policy/types/roleUsageLimit
{ "type": "integer", "minimum": 0, "default": 1000}
AWS > IAM > Root > Approved
Determine the action to take when an AWS IAM root is not approved based on AWS > IAM > Root > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/rootApproved
[ "Skip", "Check: Approved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Root > Approved > Custom
Determine whether the AWS IAM root is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM root is not approved, it will be subject to the action specified in the AWS > IAM > Root > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/rootApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Root > Approved > Usage
Determine whether the AWS IAM root is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM root is not approved, it will be subject to the action specified in the AWS > IAM > Root > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/rootApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Root > CMDB
Configure whether to record and synchronize details for the AWS IAM root account into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/rootCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Root > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/rootConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > Root > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/rootConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Root > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/rootConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Server Certificate > Active
Determine the action to take when an AWS IAM server certificate, based on the AWS > IAM > Server Certificate > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Server Certificate > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/serverCertificateActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > Server Certificate > Active > Age
The age after which the AWS IAM server certificate
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Server Certificate > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/serverCertificateActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > Server Certificate > Active > Last Modified
The number of days since the AWS IAM server certificate
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > Server Certificate > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/serverCertificateActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > Server Certificate > Approved
Determine the action to take when an AWS IAM server certificate is not approved based on AWS > IAM > Server Certificate > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/serverCertificateApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > Server Certificate > Approved > Custom
Determine whether the AWS IAM server certificate is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM server certificate is not approved, it will be subject to the action specified in the AWS > IAM > Server Certificate > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/serverCertificateApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > Server Certificate > Approved > Usage
Determine whether the AWS IAM server certificate is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM server certificate is not approved, it will be subject to the action specified in the AWS > IAM > Server Certificate > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/serverCertificateApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > Server Certificate > CMDB
Configure whether to record and synchronize details for the AWS IAM server certificates into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/serverCertificateCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > Server Certificate > Tags
Determine the action to take when an AWS IAM server certificate tags are not updated based on the AWS > IAM > Server Certificate > Tags > *
policies.
The control ensure AWS IAM server certificate tags include tags defined in AWS > IAM > Server Certificate > Tags > Template
.
Tags not defined in Server Certificate Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/serverCertificateTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > IAM > Server Certificate > Tags > Template
The template is used to generate the keys and values for AWS IAM server certificate.
Tags not defined in Server Certificate Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/serverCertificateTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > Server Certificate > Usage
Configure the number of AWS IAM server certificates that can be used for this account and the current consumption against the limit.
You can configure the behavior of the control with this AWS > IAM > Server Certificate > Usage
policy.
tmod:@turbot/aws-iam#/policy/types/serverCertificateUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > Server Certificate > Usage > Limit
Maximum number of items that can be created for this account.
tmod:@turbot/aws-iam#/policy/types/serverCertificateUsageLimit
{ "type": "integer", "minimum": 0, "default": 20}
AWS > IAM > Stack
Configure a custom stack on AWS, per the custom Stack > Source
.
A Guardrails Stack
is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured
control.
tmod:@turbot/aws-iam#/policy/types/iamStack
[ "Skip", "Check: Configured", "Enforce: Configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Enforce: Configured" ], "default": "Skip"}
AWS > IAM > Stack > Secret Variables
Terraform secret variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws-iam#/policy/types/iamStackSecretVariables
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Stack > Source
The Terraform HCL source used to configure this stack.
A Guardrails Stack
is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured
control.
tmod:@turbot/aws-iam#/policy/types/iamStackSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Stack > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws-iam#/policy/types/iamStackTerraformVersion
"{\n terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n"
"{% if $.terraformVersion %}"{{$.terraformVersion}}"{% else %}""{% endif %}"
{ "type": "string"}
AWS > IAM > Stack > Variables
Terraform variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws-iam#/policy/types/iamStackVariables
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > Tags Template [Default]
A template used to generate the keys and values for AWS IAM resources.
By default, all IAM resource Tags > Template policies will use this value.
tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws#/policy/types/defaultTagsTemplate\") {\n value\n }\n}\n"
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > Trusted Accounts [Default]
List of AWS Accounts that are trusted for access in the AWS IAM policy.
This policy is used by the Trusted Access
control to determine which members of type "account" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "013122550996"<br /> - "560741234067"<br />
Note: Setting the policy to Empty
array will remove all accounts.
tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedAccounts
"{\n trustedAccounts: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedAccounts\") {\n value\n }\n}\n"
"{% if $.trustedAccounts.value | length == 0 %}[]{% else %}{% for item in $.trustedAccounts.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string", "pattern": "^[0-9]{12}|^\\*$" }}
AWS > IAM > Trusted Identity Providers [Default]
List of AWS Identity Providers that are trusted for access in the AWS IAM policy.
This policy is used by the Trusted Access
control to determine which members of type "identity provider" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "www.amazon.com"<br /> - "graph.facebook.com"<br />
Note: Setting the policy to Empty
array will remove all identity providers.
tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedIdentityProviders
"{\n trustedIdentityProviders: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedIdentityProviders\") {\n value\n }\n}\n"
"{% if $.trustedIdentityProviders.value | length == 0 %}[]{% else %}{% for item in $.trustedIdentityProviders.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > Trusted Organizations [Default]
List of AWS Organizations that are trusted for access in the AWS IAM policy.
This policy is used by the Trusted Access
control to determine which members of type "organization" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "o-333333333"<br /> - "o-c3a5y4wd52"<br />
Note: Trusted Access > Organization Restrictions
are ONLY
applied to AWS principals. Services and Federated principals do
NOT contain the aws:PrincipalOrgId
condition key, and thus
cannot be validated against the Organization.
Setting the policy to Empty
array will remove all organizations.
tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedOrganizations
"{\n trustedOrganizations: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedOrganizations\") {\n value\n }\n}\n"
"{% if $.trustedOrganizations.value | length == 0 %}[]{% else %}{% for item in $.trustedOrganizations.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)" }}
AWS > IAM > Trusted Services [Default]
List of AWS Services that are trusted for access in the AWS IAM policy.
This policy is used by the Trusted Access
control to determine which members of type "service" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "sns.amazonaws.com"<br /> - "ec2.amazonaws.com"<br />
Note: Setting the policy to Empty
array will remove all services.
tmod:@turbot/aws-iam#/policy/types/iamPolicyTrustedServices
"{\n trustedServices: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedServices\") {\n value\n }\n}\n"
"{% if $.trustedServices.value | length == 0 %}[]{% else %}{% for item in $.trustedServices.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)" }}
AWS > IAM > User > Active
Determine the action to take when an AWS IAM user, based on the AWS > IAM > User > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > User > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/userActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > User > Active > Age
The age after which the AWS IAM user
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > User > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/userActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > IAM > User > Active > Last Modified
The number of days since the AWS IAM user
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > User > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/userActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > User > Active > Recently Used
The number of days since the AWS IAM user was last used before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > IAM > User > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-iam#/policy/types/userActiveRecentlyUsed
[ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if recently used <= 1 day", "Active if recently used <= 3 days", "Active if recently used <= 7 days", "Active if recently used <= 14 days", "Active if recently used <= 30 days", "Active if recently used <= 60 days", "Active if recently used <= 90 days", "Active if recently used <= 180 days", "Active if recently used <= 365 days", "Force active if recently used <= 1 day", "Force active if recently used <= 3 days", "Force active if recently used <= 7 days", "Force active if recently used <= 14 days", "Force active if recently used <= 30 days", "Force active if recently used <= 60 days", "Force active if recently used <= 90 days", "Force active if recently used <= 180 days", "Force active if recently used <= 365 days" ], "example": [ "Active if recently used <= 90 days" ], "default": "Skip"}
AWS > IAM > User > Approved
Determine the action to take when an AWS IAM user is not approved based on AWS > IAM > User > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/userApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > User > Approved > Custom
Determine whether the AWS IAM user is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM user is not approved, it will be subject to the action specified in the AWS > IAM > User > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/userApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > User > Approved > Turbot
Determine whether IAM Policies that are defined and configured by Guardrails (for example, from the Permissions stack or the Service Roles stack) will always be approved.
tmod:@turbot/aws-iam#/policy/types/userApprovedTurbot
[ "Skip", "Force Approved for Turbot User"]
{ "type": "string", "enum": [ "Skip", "Force Approved for Turbot User" ], "default": "Force Approved for Turbot User"}
AWS > IAM > User > Approved > Usage
Determine whether the AWS IAM user is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM user is not approved, it will be subject to the action specified in the AWS > IAM > User > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/userApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > User > Boundary
Configure which boundary policy to apply to the IAM user .
This must be the name of an existing AWS IAM Boundary policy.
AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.
If set to Check or Enforce per AWS > Turbot > Permissions
,
the boundary will be enforced if Turbot > Permissions are enforced, checked
if Turbot > Permissions are checked, and skipped if Guardrails Permissions
are none or skip
tmod:@turbot/aws-iam#/policy/types/userBoundary
[ "Skip", "Check: No Boundary", "Check: Boundary > Policy", "Enforce: No Boundary", "Enforce: Boundary > Policy", "Check or Enforce per `AWS > Turbot > Permissions`"]
{ "type": "string", "enum": [ "Skip", "Check: No Boundary", "Check: Boundary > Policy", "Enforce: No Boundary", "Enforce: Boundary > Policy", "Check or Enforce per `AWS > Turbot > Permissions`" ], "default": "Skip"}
AWS > IAM > User > Boundary > Policy
Configure which boundary policy to apply to the IAM user.
This must be the name of an existing AWS IAM Boundary policy.
AWS Boundary Policies are used to enforce Turbot Guardrails for
enabling/disabling API Services and Regions.
tmod:@turbot/aws-iam#/policy/types/userBoundaryPolicy
"{\n prefix: policy(uri:\"#/policy/types/turbotNamePrefixDefault\")\n}\n"
"{{$.prefix}}boundary"
AWS > IAM > User > CMDB
Configure whether to record and synchronize details for the AWS IAM user into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/userCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > User > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/userConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > User > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/userConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > User > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/userConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > User > Group Memberships > CMDB
Configure whether to record and synchronize details for the AWS IAM user group memberships into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/userGroupMembershipsCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > User > Group Memberships > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/userGroupMembershipsConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > User > Group Memberships > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/userGroupMembershipsConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > User > Group Memberships > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/userGroupMembershipsConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > IAM > User > Inline Policy > Approved
Determine the action to take when an AWS IAM user inline policy is not approved based on AWS > IAM > User > Inline Policy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > IAM > User > Inline Policy > Approved > Custom
Determine whether the AWS IAM user inline policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM user inline policy is not approved, it will be subject to the action specified in the AWS > IAM > User > Inline Policy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > IAM > User > Inline Policy > Approved > Usage
Determine whether the AWS IAM user inline policy is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS IAM user inline policy is not approved, it will be subject to the action specified in the AWS > IAM > User > Inline Policy > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > IAM > Enabled"}
AWS > IAM > User > Inline Policy > CMDB
Configure whether to record and synchronize details for the AWS IAM user inline policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > User > Inline Policy > Statements
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyStatements
AWS > IAM > User > Inline Policy > Statements > Approved
Configure IAM Policy Statements checking. This policy defines whether to verify the
policy statements are approved, as well as the subsequent action to take on unapproved
statements.
Rules for all Approved policies will be compiled in Approved > Compiled Rules
and then evaluated. If set to "Enforce: Delete unapproved", any unapproved statements
will be removed from the policy.
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyStatementsApproved
[ "Skip", "Check: Approved", "Enforce: Delete Unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete Unapproved" ], "default": "Skip"}
AWS > IAM > User > Inline Policy > Statements > Approved > Administrator Access
If set to "Disabled", IAM User Inline Policy statements that allow any action ('') on any resource ('') will be unapproved.
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyStatementsApprovedAdminAccess
[ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies"]
{ "type": "string", "enum": [ "Enabled: Allow Administrator Access ('*:*') policies", "Disabled: Disallow Administrator Access ('*:*') policies" ], "default": "Enabled: Allow Administrator Access ('*:*') policies"}
AWS > IAM > User > Inline Policy > Statements > Approved > Compiled Rules
A read-only Object Control List (OCL) to approved or reject inline policy statements for an IAM User. This policy is generated by Guardrails based on the "Approved > *" policies.
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyStatementsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > User > Inline Policy > Statements > Approved > Rules
An Object Control List (OCL) with a list of filter rules to approve or reject IAM policy statements. Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.
This is the last statement, so all unmatched items will be (approved/rejected) by this statement.
Note: Removing APPROVE * will reject all the unmatched rules.
tmod:@turbot/aws-iam#/policy/types/userInlinePolicyStatementsApprovedRules
{ "type": "string", "default": "# Approve(APPROVE *) / Reject(REJECT *) unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > User > Login Profile
Configure whether to remove Login Profile for a user. If set to Enforce: Delete login profile
, the Login Profile for the User will be deleted.
tmod:@turbot/aws-iam#/policy/types/userLoginProfile
[ "Skip", "Check: Login profile enabled", "Enforce: Delete login profile"]
{ "type": "string", "enum": [ "Skip", "Check: Login profile enabled", "Enforce: Delete login profile" ], "example": [ "Check: Login profile enabled" ], "default": "Skip"}
AWS > IAM > User > Policy Attachments
tmod:@turbot/aws-iam#/policy/types/userPolicyAttached
AWS > IAM > User > Policy Attachments > Approved
Configure AWS IAM user policy attachments Approved
checking. This policy
defines whether to verify the IAM user attached policies are approved
(per Approved > Compiled Rules
), as well as the subsequent action to
take on unapproved items.
If set to "Enforce: Delete unapproved", any unapproved attached policy
will be removed.
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentsApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > User > Policy Attachments > Approved > Compiled Rules
A read-only Object Control List (OCL) to add or
remove IAM Policy from a IAM user.
This policy is generated by Turbot.
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentsApprovedCompiledRules
{ "type": "string"}
AWS > IAM > User > Policy Attachments > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject policies.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled rules.
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentsApprovedRules
{ "type": "string", "default": "# Approve rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > IAM > User > Policy Attachments > Required
Configure whether required policies should be attached to a user.
If set to Enforce, policies in Required > Items will be attached to the user.
tmod:@turbot/aws-iam#/policy/types/userPolicyRequired
[ "Skip", "Check: Required > Items", "Enforce: Required > Items"]
{ "type": "string", "enum": [ "Skip", "Check: Required > Items", "Enforce: Required > Items" ], "example": [ "Skip" ], "default": "Skip"}
AWS > IAM > User > Policy Attachments > Required > Compiled Items
A list of IAM policies that must be attached to a user.
This is a read-only policy that is generated by Turbot
tmod:@turbot/aws-iam#/policy/types/userPolicyRequiredCompiledItems
{ "type": "array"}
AWS > IAM > User > Policy Attachments > Required > Items
A list of IAM policies that must be attached to a user.
tmod:@turbot/aws-iam#/policy/types/userPolicyRequiredItems
{ "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 128, "pattern": "^[A-Za-z0-9_+=,.@-]+$" }, "default": []}
AWS > IAM > User > Policy Attachments > Required > Turbot Lockdown
Configure whether User has Guardrails Lockdown Policies attached.
tmod:@turbot/aws-iam#/policy/types/userPolicyRequiredLockdown
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "example": [ "Enabled" ]}
AWS > IAM > User > Tags
Determine the action to take when an AWS IAM user tags are not updated based on the AWS > IAM > User > Tags > *
policies.
The control ensure AWS IAM user tags include tags defined in AWS > IAM > User > Tags > Template
.
Tags not defined in User Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/userTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > IAM > User > Tags > Template
The template is used to generate the keys and values for AWS IAM user.
Tags not defined in User Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-iam#/policy/types/userTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-iam#/policy/types/iamTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > IAM > User > Turbot Access Key
The access key ID of the Guardrails managed access key for the user.
tmod:@turbot/aws-iam#/policy/types/userTurbotAccessKey
{ "type": "string", "default": ""}
AWS > IAM > User > Turbot Access Key > Rotation
Configure how frequently the Guardrails managed access key is rotated.
tmod:@turbot/aws-iam#/policy/types/userTurbotAccessKeyRotation
[ "Skip", "Enforce: 1 day", "Enforce: 3 days", "Enforce: 7 days", "Enforce: 14 days", "Enforce: 30 days", "Enforce: 60 days", "Enforce: 90 days"]
{ "type": "string", "enum": [ "Skip", "Enforce: 1 day", "Enforce: 3 days", "Enforce: 7 days", "Enforce: 14 days", "Enforce: 30 days", "Enforce: 60 days", "Enforce: 90 days" ], "default": "Enforce: 30 days"}
AWS > IAM > User > Turbot Secret Access Key
The secret access key of the Guardrails managed access key for the user.
tmod:@turbot/aws-iam#/policy/types/userTurbotSecretAccessKey
{ "type": "string", "default": ""}
AWS > IAM > User > Usage
Configure the number of AWS IAM users that can be used for this account and the current consumption against the limit.
You can configure the behavior of the control with this AWS > IAM > User > Usage
policy.
tmod:@turbot/aws-iam#/policy/types/userUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > IAM > User > Usage > Limit
Maximum number of items that can be created for this account.
tmod:@turbot/aws-iam#/policy/types/userUsageLimit
{ "type": "integer", "minimum": 0, "default": 5000}
AWS > IAM > User > User Policy Attachments > Active
Check if the AWS IAM Userpolicyattachment is active based on AWS > IAM > Userpolicyattachment > Active > * policies.
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > IAM > User > User Policy Attachments > Active > Last Modified
Check if AWS userPolicyAttachment is active based on when it was last modified.
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > IAM > User > User Policy Attachments > CMDB
Configure whether to record and synchronize details for the AWS IAM user policy attachment into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > IAM > User > User Policy Attachments > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > IAM > User > User Policy Attachments > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > IAM > User > User Policy Attachments > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-iam
The CloudWatch Events event pattern used by the AWS IAM module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws-iam#/policy/types/iamCustomEventPatterns
{ "type": "array", "items": { "type": "object" }}
AWS > Turbot > IAM
AWS > Turbot > IAM > Managed
This policy determines the permission mode used by Guardrails. There are 3 possible configurations:
None: Guardrails will not manage any AWS IAM permissions. This setting is for organizations that want to maintain complete control over AWS IAM.
Policy-Only Mode: Guardrails policies are created in AWS IAM, but no management of roles or users will occur. This option helps automate policy creation across a wide number of accounts while keeping control in the hands of the organization.
Role Mode: Guardrails will create policies and roles within the AWS account. This allows administrators to assign AWS permissions in Guardrails. Users federate into AWS and will assume the role that is assigned to their profile in Guardrails.
Role Mode with strict Turbot-managed policies: Ensures Turbot-managed policies can be attached to roles, blocking custom policy attachments for stricter security control.
User Mode: Guardrails will create policies, roles, groups and users within the AWS account. Access granted at the folder level ABOVE the accounts will always leverage roles. Guardrails users granted access only at the folder level will NOT have a corresponding IAM User. If a user is granted any access explicitly on the account, an IAM user will be created for them.
User Mode with strict Turbot-managed policies and groups: Restricts roles, users, and groups to only Turbot-managed policies and groups, ensuring a secure and controlled environment by disallowing custom attachments.
tmod:@turbot/aws-iam#/policy/types/iamTurbotManaged
[ "Skip", "Check: None", "Check: Policy-Only Mode", "Check: Role Mode", "Check: Role Mode with strict Turbot-managed policies", "Check: User Mode", "Check: User Mode with strict Turbot-managed policies and groups", "Enforce: None", "Enforce: Policy-Only Mode", "Enforce: Role Mode", "Enforce: Role Mode with strict Turbot-managed policies", "Enforce: User Mode", "Enforce: User Mode with strict Turbot-managed policies and groups"]
{ "type": "string", "enum": [ "Skip", "Check: None", "Check: Policy-Only Mode", "Check: Role Mode", "Check: Role Mode with strict Turbot-managed policies", "Check: User Mode", "Check: User Mode with strict Turbot-managed policies and groups", "Enforce: None", "Enforce: Policy-Only Mode", "Enforce: Role Mode", "Enforce: Role Mode with strict Turbot-managed policies", "Enforce: User Mode", "Enforce: User Mode with strict Turbot-managed policies and groups" ], "example": [ "Enforce: None" ], "default": "Skip"}
AWS > Turbot > Permissions
This policy determines the permission mode used by Guardrails. There are 3 possible configurations:
None: Guardrails will not manage any AWS IAM permissions. This setting is for organizations that want to maintain complete control over AWS IAM.
Policy-Only Mode: Guardrails policies are created in AWS IAM, but no management of roles or users will occur. This option helps automate policy creation across a wide number of accounts while keeping control in the hands of the organization.
Role Mode: Guardrails will create policies and roles within the AWS account. This allows administrators to assign AWS permissions in Guardrails. Users federate into AWS and will assume the role that is assigned to their profile in Guardrails.
User Mode: Guardrails will create policies, roles and users within the AWS account. Access granted at the folder level ABOVE the accounts will always leverage roles. Guardrails users granted access only at the folder level will NOT have a corresponding IAM User. If a user is granted any access explicitly on the account, an IAM user will be created for them
tmod:@turbot/aws-iam#/policy/types/permissions
[ "Skip", "Check: None", "Check: Policy-Only Mode", "Check: Role Mode", "Check: User Mode", "Enforce: None", "Enforce: Policy-Only Mode", "Enforce: Role Mode", "Enforce: User Mode"]
{ "type": "string", "enum": [ "Skip", "Check: None", "Check: Policy-Only Mode", "Check: Role Mode", "Check: User Mode", "Enforce: None", "Enforce: Policy-Only Mode", "Enforce: Role Mode", "Enforce: User Mode" ], "example": [ "Enforce: None" ], "default": "Skip"}
AWS > Turbot > Permissions > Compiled
tmod:@turbot/aws-iam#/policy/types/iamPermissionsCompiled
AWS > Turbot > Permissions > Compiled > API Boundary
tmod:@turbot/aws-iam#/policy/types/iamPermissionsCompiledLevelsApiBoundary
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-iam
A read-only policy generated by Guardrails that lists the APIs that
should be added to the turbot-managed (hard) boundary policy,
thereby enabling them to be assigned to users and roles.
This value will change depending on the value of the value of theAWS > IAM > Permissions > Lockdown > API Boundary
policy
tmod:@turbot/aws-iam#/policy/types/awsCompiledApiBoundary
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Account Permissions
A calculated policy that Guardrails uses to create a single list of ALL permissions for all provider level permissions (AWS/Admin, AWS/Operator, etc) that is used as input to the control that manages the IAM stack
tmod:@turbot/aws-iam#/policy/types/iamPermissionsCompiledAccountPermissions
AWS > Turbot > Permissions > Compiled > Allow Statements
A calculated policy that Guardrails uses to create a compiled list of ALL custom "Allow" policy statements for AWS API Gateway that is used as input to the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsCompiledAllowStatements
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Levels
A calculated policy that Guardrails uses to create a single list of ALL permissions levels for all services that is used as input to the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsCompiledLevels
AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-iam
A calculated policy that Guardrails uses to create a compiled list of
ALL permissions for AWS IAM that is used as input to the stack that
manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-iam#/policy/types/awsLevelsCompiled
AWS > Turbot > Permissions > Compiled > Lockdown Statements
A calculated policy that Guardrails uses to create a single list of ALL lockdown policy statements for all services that is used as input to the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsCompiledLockdownStatements
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-iam
A calculated policy that Guardrails uses to create a compiled list of ALL
lockdown policy statements for AWS IAM that is used as input to the stack
that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-iam#/policy/types/awsCompiledLockdownStatements
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Service Permissions
A calculated policy that Guardrails uses to create a single list of ALL permissions for all services that is used as input to the control that manages the IAM stack.
tmod:@turbot/aws-iam#/policy/types/iamPermissionsCompiledServicePermissions
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-iam
A calculated policy that Guardrails uses to create a compiled list of ALL permissions
for AWS IAM that is used as input to the control that manages the IAM stack.
tmod:@turbot/aws-iam#/policy/types/awsCompiledServicePermissions
AWS > Turbot > Permissions > Custom Group Levels [Account]
An ordered list of custom levels used to customize Turbot's permissions. Levels in this policy will appear in the Turbot console as grantable to Turbot users as AWS/Group/{group name}
. When granted access, Turbot will attach the Group to the IAM user via the AWS > Turbot > IAM
stack. Note that the IAM groups must already exist in the AWS Account, and Turbot must have the ability to attach users to these groups.
tmod:@turbot/aws-iam#/policy/types/permissionsCustomGroupLevelsAccount
{ "type": "array", "default": [], "example": [ [ "my_custom_backup_group", "my_custom_infosec_group" ] ]}
AWS > Turbot > Permissions > Custom Role Levels [Account]
An ordered list of custom levels used to customize Turbot's permissions. Levels in this policy will appear in the Guardrails console as grantable to Guardrails users as AWS/Role/{role name}
. When granted access, Guardrails will allow the user to assume the associated IAM role. Note that the IAM roles must already exist in the AWS Account, and Guardrails must have the ability to assume the roles.
tmod:@turbot/aws-iam#/policy/types/permissionsCustomLevelsAccount
{ "type": "array", "default": [], "example": [ [ "my_custom_backup_role", "my_custom_infosec_role" ] ]}
AWS > Turbot > Permissions > Custom Role Levels [Folder]
An ordered list of custom levels used to customize Guardrails' permissions. Levels in this policy will appear in the Guardrails console as grantable to Guardrails users as AWS/Role/{role name}
at a folder level. When granted access, Guardrails will allow the user to assume the associated IAM role. Note that the IAM roles must already exist in the AWS Account, and Guardrails must have the ability to assume the roles.
tmod:@turbot/aws-iam#/policy/types/permissionsCustomLevelsFolder
{ "type": "array", "default": [], "example": [ [ "my_custom_backup_role", "my_custom_infosec_role" ] ]}
AWS > Turbot > Permissions > Group
Configures Guardrails IAM Groups, depending on AWS > Permissions.
tmod:@turbot/aws-iam#/policy/types/turbotGroup
AWS > Turbot > Permissions > Group > Name Path
The value to be used in resource path names for standard Guardrails IAM Groups. The path should start and end with a slash (/).
tmod:@turbot/aws-iam#/policy/types/turbotGroupNamePath
"{\n prefixPath: policy(uri: \"#/policy/types/turbotNamePathDefault\")\n}\n"
"'{{ $.prefixPath }}'"
{ "type": "string", "pattern": "^/.*/$"}
AWS > Turbot > Permissions > Group > Name Prefix
A prefix to be used in resource names for standard Guardrails IAM Groups.
tmod:@turbot/aws-iam#/policy/types/turbotGroupNamePrefix
"{\n prefixName: policy(uri: \"#/policy/types/turbotNamePrefixDefault\")\n}\n"
"'{{ $.prefixName }}'"
{ "type": "string"}
AWS > Turbot > Permissions > Levels
Define the permissions levels that can be used to grant access to an AWS account. Permissions levels defined will appear in the UI to assign access to Guardrails users.
tmod:@turbot/aws-iam#/policy/types/permissionsLevels
{ "type": "array", "items": { "type": "string", "enum": [ "AWS/User", "AWS/Metadata", "AWS/ReadOnly", "AWS/Operator", "AWS/Admin", "AWS/Owner", "AWS/SuperUser" ] }, "default": [ "AWS/User", "AWS/Metadata", "AWS/ReadOnly", "AWS/Operator", "AWS/Admin", "AWS/Owner", "AWS/SuperUser" ]}
AWS > Turbot > Permissions > Levels > Modifiers
A map of AWS API to Guardrails Permission Level used to customize Guardrails' standard permissions. You can add, remove or redefine the mapping of AWS API operations to Guardrails permissions levels here. Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also added to ReadOnly, Operator and Admin. Modifier policies set here apply ONLY to the AWS level
tmod:@turbot/aws-iam#/policy/types/permissionsLevelsModifiers
{ "type": "array", "default": [], "example": [ [ { "datasync:ListLocations": "Metadata" }, { "datasync:CreateLocationEfs": "Admin" } ] ]}
AWS > Turbot > Permissions > Levels [Default]
Define the permissions levels that can be used to grant access to an AWS account. Permissions levels defined will appear in the UI to assign access to Guardrails users. This policy provides a default for Permissions > Levels in each service, however you can explicitly override the setting for each service if desired
tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }, "default": []}
AWS > Turbot > Permissions > Lockdown
tmod:@turbot/aws-iam#/policy/types/permissionsLockdown
AWS > Turbot > Permissions > Lockdown > API Boundary
A list of APIs that should be allowed in the Guardrails
boundary policy.
This is represented as a list of apis and their
scope (regional or global).
For example:
<br /> - api: 's3:*'<br /> regionScope: regional<br /> - api: 'iam:*'<br /> regionScope: global<br />
Note: That APIs can be enabled or disabled via the
relevant AWS > {Service} > API Enabled
policies.
An API will be allowed in the boundary if it is
EITHER enabled via AWS > {Service} > API Enabled
OR added to the AWS > Turbot > Permissions ><br />Lockdown > API Boundary
policy.
tmod:@turbot/aws-iam#/policy/types/permissionsLockdownApiBoundary
AWS > Turbot > Permissions > Lockdown > Region Boundary
Define a list of regions to which API calls can be made. Any API to any region that does not appear in this list will be explicitly denied. The '*' wildcard may be used in these values.
Note that this policy disables the region for ALL users and roles,
and Guardrails will have no access to any regions that do not appear in
the list.
Global services (such as IAM) are not subject to the Region Boundary
tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegionBoundary
{ "type": "array", "items": { "type": "string", "pattern": "^[-a-z0-9?*]+$" }, "default": [ "*" ]}
AWS > Turbot > Permissions > Lockdown > Regions
Define a list of regions to which API calls can be made. Any API to any region that does not appear in this list will be explicitly denied. The '*' wildcard may be used in these values.
tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'{{ '\n' }}{% endfor %}"
AWS > Turbot > Permissions > Name Path [Default]
Provides a default value to be used in resource path names for standard Guardrails IAM objects. The path should start and end with a slash (/) This policy can be referenced other policies (User > Name Path, Role > Name Path, Groups > Name Path, Policy > Name Path) to set a single, consistent default
tmod:@turbot/aws-iam#/policy/types/turbotNamePathDefault
{ "type": "string", "default": "/turbot/", "example": "/turbot/"}
AWS > Turbot > Permissions > Name Prefix [Default]
Provides a default prefix to be used in resource names for standard Guardrails IAM objects. This policy can be referenced other policies (User > Name Prefix, Role > Name Prefix, Group > Name Prefix, Policy > Name Prefix) to set a single, consistent default
tmod:@turbot/aws-iam#/policy/types/turbotNamePrefixDefault
{ "type": "string", "default": "", "example": "turbot-"}
AWS > Turbot > Permissions > Policy
Configures Guardrails IAM Policies, depending on AWS > Permissions.
tmod:@turbot/aws-iam#/policy/types/turbotPolicy
AWS > Turbot > Permissions > Policy > Name Path
The value to be used in resource path names for standard Guardrails IAM Policies. The path should start and end with a slash (/).
tmod:@turbot/aws-iam#/policy/types/turbotPolicyNamePath
"{\n prefixPath: policy(uri: \"#/policy/types/turbotNamePathDefault\")\n}\n"
"'{{ $.prefixPath }}'"
{ "type": "string", "pattern": "^/.*/$"}
AWS > Turbot > Permissions > Policy > Name Prefix
A prefix to be used in resource names for standard Guardrails IAM Policies.
tmod:@turbot/aws-iam#/policy/types/turbotPolicyNamePrefix
"{\n prefixName: policy(uri: \"#/policy/types/turbotNamePrefixDefault\")\n}\n"
"'{{ $.prefixName }}'"
{ "type": "string"}
AWS > Turbot > Permissions > Role
Configures Guardrails IAM Roles, depending on AWS > Permissions.
tmod:@turbot/aws-iam#/policy/types/turbotRole
AWS > Turbot > Permissions > Role > Name Path
The value to be used in resource path names for standard Guardrails IAM Roles. The path should start and end with a slash (/).
tmod:@turbot/aws-iam#/policy/types/turbotRoleNamePath
"{\n prefixPath: policy(uri: \"#/policy/types/turbotNamePathDefault\")\n}\n"
"'{{ $.prefixPath }}'"
{ "type": "string", "pattern": "^/.*/$"}
AWS > Turbot > Permissions > Role > Name Prefix
A prefix to be used in resource names for standard Guardrails IAM Roles.
tmod:@turbot/aws-iam#/policy/types/turbotRoleNamePrefix
"{\n prefixName: policy(uri: \"#/policy/types/turbotNamePrefixDefault\")\n}\n"
"'{{ $.prefixName }}'"
{ "type": "string"}
AWS > Turbot > Permissions > Role > Session Timeout
The session timeout in minutes when roles access the AWS console or obtain
temporary AWS security credentials through Guardrails, e.g., if a user john has
the AWS/Admin
permission in the Permission Tab,
then he can log into an AWS account via Guardrails with
a temporary federated role with AWS/Admin
rights only for the time set
in the policy.
tmod:@turbot/aws-iam#/policy/types/turbotRoleSessionTimeout
{ "type": "integer", "minimum": 15, "maximum": 60, "default": 60}
AWS > Turbot > Permissions > Role > Tags
Ensure AWS IAM Role tags for Guardrails role include tags defined in Role Tags.
tmod:@turbot/aws-iam#/policy/types/turbotRoleTags
null
"[]"
AWS > Turbot > Permissions > Source
A HCL format configuration template to create Guardrails permissions policies.
This policy is read-only, as source is generated by Guardrails.
tmod:@turbot/aws-iam#/policy/types/iamTurbotSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Turbot > Permissions > Superuser Boundary
Configure whether Guardrails should apply the Boundary
Policy to AWS/Superuser.
By default, the boundary is applied to all users,
however you can disable the boundary for superusers
by setting this policy to No Boundary
tmod:@turbot/aws-iam#/policy/types/permissionsSuperuserBoundary
[ "No Boundary", "Turbot Boundary"]
{ "type": "string", "enum": [ "No Boundary", "Turbot Boundary" ], "default": "Turbot Boundary"}
AWS > Turbot > Permissions > Tags Default
Provides a default prefix to be used in resource names for standard Guardrails IAM objects. This policy can be referenced other policies (User > Name Prefix, Role > Name Prefix, Group > Name Prefix, Policy > Name Prefix) to set a single, consistent default
tmod:@turbot/aws-iam#/policy/types/turbotTagsDefault
AWS > Turbot > Permissions > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Turbot,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws-iam#/policy/types/permissionsTerraformVersion
{ "type": "string"}
AWS > Turbot > Permissions > User
tmod:@turbot/aws-iam#/policy/types/turbotUser
AWS > Turbot > Permissions > User > Access Keys Enabled
If enabled, Guardrails IAM users will be allowed to manage their IAM user access
keys from the Guardrails console.
tmod:@turbot/aws-iam#/policy/types/turbotUserAccessKeysEnabled
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "example": [ "Disabled" ], "default": "Disabled"}
AWS > Turbot > Permissions > User > Group Membership Mode
Configure the group membership mode for the AWS > Turbot > IAM
stack.
In Exclusive
mode, the AWS > Turbot > IAM
stack will manage the users group memberships exactly - groups added outside of Guardrails will be removed. In Non-Exclusive
mode, the AWS > Turbot > IAM
stack will only manage the Guardrails groups that it creates - it will not remove groups added outside of Turbot.
tmod:@turbot/aws-iam#/policy/types/turbotUserGroupMembershipMode
[ "Exclusive", "Non-Exclusive"]
{ "type": "string", "enum": [ "Exclusive", "Non-Exclusive" ], "example": [ "Exclusive" ], "default": "Exclusive"}
AWS > Turbot > Permissions > User > Name Path
The value to be used in resource path names for standard Guardrails IAM Users. The path should start and end with a slash (/).
tmod:@turbot/aws-iam#/policy/types/turbotUserNamePath
"{\n prefixPath: policy(uri: \"#/policy/types/turbotNamePathDefault\")\n}\n"
"'{{ $.prefixPath }}'"
{ "type": "string", "pattern": "^/.*/$"}
AWS > Turbot > Permissions > User > Session Timeout
The session timeout in minutes when users access the AWS console or obtain
temporary AWS security credentials through Turbot, e.g., if a user john has
the AWS/Admin
permission in the Permission Tab,
then he can log into an AWS account via Guardrails only for time set in the policy.
tmod:@turbot/aws-iam#/policy/types/turbotUserSessionTimeout
{ "type": "integer", "minimum": 15, "maximum": 2160, "default": 60}
AWS > Turbot > Permissions > User > Tags
Ensure AWS IAM Role tags for Guardrails role include tags defined in User Tags.
tmod:@turbot/aws-iam#/policy/types/turbotUserTags
null
"[]"
AWS > Turbot > Permissions > User Boundary
Configure whether Guardrails should apply the Boundary
Policy to users.
By default, the boundary is applied to all users,
however you can disable the boundary for users
by setting this policy to No Boundary
tmod:@turbot/aws-iam#/policy/types/permissionsUserBoundary
[ "No Boundary", "Turbot Boundary"]
{ "type": "string", "enum": [ "No Boundary", "Turbot Boundary" ], "default": "Turbot Boundary"}
Turbot > IAM > Permissions > Compiled > Levels > AWS
A list of AWS permissions that Guardrails may use to grant permissions on an account.
tmod:@turbot/aws-iam#/policy/types/turbotPermissionsCompiledLevelsAws
{ "type": "array"}
Turbot > IAM > Permissions > Compiled > Levels > AWS [Turbot]
A list of AWS permissions that Guardrails may use to grant permissions on folders that have aws accounts as children.
tmod:@turbot/aws-iam#/policy/types/turbotPermissionsCompiledLevels