Policy types for @turbot/aws-s3multiregionaccesspoint

• AWS > S3 > Multi-Region Access Point > Active
• AWS > S3 > Multi-Region Access Point > Active > Age
• AWS > S3 > Multi-Region Access Point > Active > Budget
• AWS > S3 > Multi-Region Access Point > Active > Last Modified
• AWS > S3 > Multi-Region Access Point > Approved
• AWS > S3 > Multi-Region Access Point > Approved > Budget
• AWS > S3 > Multi-Region Access Point > Approved > Custom
• AWS > S3 > Multi-Region Access Point > Approved > Usage
• AWS > S3 > Multi-Region Access Point > CMDB
• AWS > S3 > Multi-Region Access Point > Usage
• AWS > S3 > Multi-Region Access Point > Usage > Limit
• AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3multiregionaccesspoint

AWS > S3 > Multi-Region Access Point > Active

Determine the action to take when an AWS S3 multi-region access point, based on the AWS > S3 > Multi-Region Access Point > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > S3 > Multi-Region Access Point > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Active > Age

The age after which the AWS S3 multi-region access point\nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > S3 > Multi-Region Access Point > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Active > Budget

The impact of the budget state on the active control. This policy allows you to force\nmultiregionAccessPoints to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > S3 > Multi-Region Access Point > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Active > Last Modified

The number of days since the AWS S3 multi-region access point\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > S3 > Multi-Region Access Point > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Approved

Determine the action to take when an AWS S3 multi-region access point is not approved based on AWS > S3 > Multi-Region Access Point > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Approved > Budget

The policy allows you to set multi-region access points to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State\n\nThis policy will be evaluated by the Approved control. If an AWS S3 multi-region access point is not matched by the approved list, it will be subject to the action specified in the AWS > S3 > Multi-Region Access Point > Approved policy.\n\nSee Approved for more information.\n

[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Approved > Custom

Determine whether the AWS S3 multi-region access point is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS S3 multi-region access point is not approved, it will be subject to the action specified in the AWS > S3 > Multi-Region Access Point > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Approved > Usage

Determine whether the AWS S3 multi-region access point is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS S3 multi-region access point is not approved, it will be subject to the action specified in the AWS > S3 > Multi-Region Access Point > Approved policy.\n\nSee Approved for more information.\n

[
  "Not approved",
  "Approved",
  "Approved if AWS > S3 > Enabled"
]

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > S3 > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > S3 > Enabled"
}

AWS > S3 > Multi-Region Access Point > CMDB

Configure whether to record and synchronize details for the AWS S3 multi-region access point into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > S3 > Multi-Region Access Point > Usage

Configure the number of AWS multi-region access points that can be used for this account and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > > Multi-Region Access Point > Usage policy.\n

[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > S3 > Multi-Region Access Point > Usage > Limit

Maximum number of items that can be created for this account.

{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3multiregionaccesspoint

The CloudWatch Events event pattern used by the AWS S3 Multi-Region Access Point module to specify\nwhich events to forward to the Guardrails Event Handlers.\n

{
  "type": "array",
  "items": {
    "type": "object"
  }
}