Policy types for @turbot/aws-sagemaker

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled",
  "Enabled if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if AWS > SageMaker > Enabled"
  ],
  "default": "Enabled"
}

AWS > SageMaker > Approved Regions [Default]

A list of AWS regions in which AWS SageMaker resources are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy is the default value for all AWS SageMaker resources' Approved > Regions policies.

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Code Repository > Active

Determine the action to take when an AWS SageMaker code repository, based on the AWS > SageMaker > Code Repository > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Code Repository > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Code Repository > Active > Age

The age after which the AWS SageMaker code repository is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryActiveAge

Category

AWS > SageMaker > Code Repository > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Code Repository > Active > Last Modified

The number of days since the AWS SageMaker code repository was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryActiveLastModified

Category

AWS > SageMaker > Code Repository > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Code Repository > Approved

Determine the action to take when an AWS SageMaker code repository is not approved based on AWS > SageMaker > Code Repository > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Code Repository > Approved > Regions

A list of AWS regions in which AWS SageMaker code repositorys are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker code repository is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Code Repository > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryApprovedRegions

Category

AWS > SageMaker > Code Repository > Approved

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Code Repository > Approved > Usage

Determine whether the AWS SageMaker code repository is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker code repository is not approved, it will be subject to the action specified in the AWS > SageMaker > Code Repository > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryApprovedUsage

Category

AWS > SageMaker > Code Repository > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Code Repository > CMDB

Configure whether to record and synchronize details for the AWS SageMaker code repository into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Code Repository > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Code Repository > Regions

A list of AWS regions in which AWS SageMaker code repositories are supported for use.

Any code repositories in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/codeRepositoryRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "cn-north-1",
        "cn-northwest-1",
        "eu-central-1",
        "eu-north-1",
        "eu-south-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > SageMaker > Domain > Active

Determine the action to take when an AWS SageMaker domain, based on the AWS > SageMaker > Domain > Active > * policies.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Domain > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Domain > Active > Age

The age after which the AWS SageMaker domain is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainActiveAge

Category

AWS > SageMaker > Domain > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Domain > Active > Last Modified

The number of days since the AWS SageMaker domain was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainActiveLastModified

Category

AWS > SageMaker > Domain > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Domain > Approved

Determine the action to take when an AWS SageMaker domain is not approved based on AWS > SageMaker > Domain > Approved > * policies.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Domain > Approved > Custom

Determine whether the AWS SageMaker domain is allowed to exist. This policy will be evaluated by the Approved control. If an AWS SageMaker domain is not approved, it will be subject to the action specified in the AWS > SageMaker > Domain > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainApprovedCustom

Category

Parent

Targets

Resource > Encryption at Rest

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > SageMaker > Domain > Approved > Encryption at Rest

Define the Encryption at Rest settings required for AWS > SageMaker > Domain.

Encryption at Rest refers specifically to the encryption of data when written to an underlying storage system. This control determines whether the resource is encrypted at rest, and sets encryption to your desired level.

The Encryption at Rest control compares the encryption settings against the encryption policies for the resource (AWS > SageMaker > Domain > Encryption at Rest > *), raises an alarm, and takes the defined enforcement action

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainEncryptionAtRest

Category

Parent

Targets

Resource > Encryption at Rest

Valid Value

[
  "None",
  "None or higher",
  "AWS managed key",
  "AWS managed key or higher",
  "Customer managed key",
  "Encryption at Rest > Customer Managed Key"
]

Schema

{
  "type": "string",
  "enum": [
    "None",
    "None or higher",
    "AWS managed key",
    "AWS managed key or higher",
    "Customer managed key",
    "Encryption at Rest > Customer Managed Key"
  ],
  "example": [
    "None or higher"
  ],
  "default": "None or higher"
}

AWS > SageMaker > Domain > Approved > Encryption at Rest > Customer Managed Key

Define the KMS key ID for encryption at rest.

Please make sure the key defined in the template has required permissions.

example:
  alias/aws/ebs
  ddc06e04-ce5f-4995-c758-c2b6c510e8fd
  arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd
  arn:aws:kms:us-east-1:123456789012:alias/aws/ebs

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainEncryptionAtRestCustomerManagedKey

Category

Parent

AWS > SageMaker > Domain > Approved > Encryption at Rest

Targets

Default Template Input

"{\n  defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"

Default Template

"{{ $.defaultKey }}"

Schema

{
  "anyOf": [
    {
      "type": "string",
      "pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$"
    },
    {
      "type": "string",
      "pattern": "^[-a-z0-9-]{1,255}$"
    },
    {
      "type": "string",
      "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$"
    },
    {
      "type": "string",
      "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:alias/[a-zA-Z0-9:/_-]{1,249}$"
    }
  ],
  "tests": [
    {
      "description": "valid - if keyArn",
      "input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd"
    },
    {
      "description": "valid - if aliasName",
      "input": "alias/aws/ebs"
    },
    {
      "description": "valid - if keyId",
      "input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd"
    },
    {
      "description": "valid - if aliasArn",
      "input": "arn:aws:kms:us-east-1:039305405804:alias/aws/ebs"
    }
  ]
}

AWS > SageMaker > Domain > Approved > Regions

A list of AWS regions in which AWS SageMaker domains are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker domain is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Domain > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainApprovedRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Domain > Approved > Usage

Determine whether the AWS SageMaker domain is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker domain is not approved, it will be subject to the action specified in the AWS > SageMaker > Domain > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainApprovedUsage

Category

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Domain > CMDB

Configure whether to record and synchronize details for the AWS SageMaker domain into the CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Domain > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Domain > Regions

A list of AWS regions in which AWS SageMaker domains are supported for use.

Any domains in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "cn-north-1",
        "cn-northwest-1",
        "eu-central-1",
        "eu-north-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > SageMaker > Domain > Tags

Determine the action to take when an AWS SageMaker domain tags are not updated based on the AWS > SageMaker > Domain > Tags > * policies.

The control ensure AWS SageMaker domain tags include tags defined in AWS > SageMaker > Domain > Tags > Template.

Tags not defined in Domain Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > SageMaker > Domain > Tags > Template

The template is used to generate the keys and values for AWS SageMaker domain.

Tags not defined in Domain Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/domainTagsTemplate

Category

AWS > SageMaker > Domain > Tags

Parent

Targets

Default Template Input

[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

AWS > SageMaker > Enabled

Configure whether the AWS SageMaker service is enabled. This will only affect Turbot managed User Roles and will allow the Turbot managed user to access AWS SageMaker service.

Enabled policy allows Turbot managed users to perform all the actions for the service
Enabled: Metadata Only policy allows Turbot managed users to perform only the metadata level actions for the service (like describe*, list*)

Note:

Disabled policy disables the service but does NOT disable the API for Turbot or SuperUsers
All the resource data stored in the Turbot CMDB is considered to be metadata
For more information related to permissions and grant levels, please check the documentation

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerEnabled

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Enabled: Metadata Only",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Enabled: Metadata Only",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Disabled"
}

AWS > SageMaker > Endpoint > Active

Determine the action to take when an AWS SageMaker endpoint, based on the AWS > SageMaker > Endpoint > Active > * policies.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Endpoint > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint > Active > Age

The age after which the AWS SageMaker endpoint is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointActiveAge

Category

AWS > SageMaker > Endpoint > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint > Active > Last Modified

The number of days since the AWS SageMaker endpoint was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointActiveLastModified

Category

AWS > SageMaker > Endpoint > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint > Approved

Determine the action to take when an AWS SageMaker endpoint is not approved based on AWS > SageMaker > Endpoint > Approved > * policies.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint > Approved > Regions

A list of AWS regions in which AWS SageMaker endpoints are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker endpoint is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Endpoint > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointApprovedRegions

Category

AWS > SageMaker > Endpoint > Approved

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Endpoint > Approved > Usage

Determine whether the AWS SageMaker endpoint is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker endpoint is not approved, it will be subject to the action specified in the AWS > SageMaker > Endpoint > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointApprovedUsage

Category

AWS > SageMaker > Endpoint > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Endpoint > CMDB

Configure whether to record and synchronize details for the AWS SageMaker endpoint into the CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Endpoint > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Endpoint > Regions

A list of AWS regions in which AWS SageMaker endpoints are supported for use.

Any endpoints in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Endpoint > Tags

Determine the action to take when an AWS SageMaker endpoint tags are not updated based on the AWS > SageMaker > Endpoint > Tags > * policies.

The control ensure AWS SageMaker endpoint tags include tags defined in AWS > SageMaker > Endpoint > Tags > Template.

Tags not defined in Endpoint Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint > Tags > Template

The template is used to generate the keys and values for AWS SageMaker endpoint.

Tags not defined in Endpoint Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointTagsTemplate

Category

AWS > SageMaker > Endpoint > Tags

Parent

Targets

Default Template Input

[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

AWS > SageMaker > Endpoint Configuration > Active

Determine the action to take when an AWS SageMaker endpoint configuration, based on the AWS > SageMaker > Endpoint Configuration > Active > * policies.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Endpoint Configuration > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint Configuration > Active > Age

The age after which the AWS SageMaker endpoint configuration is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigActiveAge

Category

AWS > SageMaker > Endpoint Configuration > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint Configuration > Active > Last Modified

The number of days since the AWS SageMaker endpoint configuration was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigActiveLastModified

Category

AWS > SageMaker > Endpoint Configuration > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint Configuration > Approved

Determine the action to take when an AWS SageMaker endpoint configuration is not approved based on AWS > SageMaker > Endpoint Configuration > Approved > * policies.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint Configuration > Approved > Regions

A list of AWS regions in which AWS SageMaker endpoint configurations are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker endpoint configuration is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Endpoint Configuration > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigApprovedRegions

Category

AWS > SageMaker > Endpoint Configuration > Approved

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Endpoint Configuration > Approved > Usage

Determine whether the AWS SageMaker endpoint configuration is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker endpoint configuration is not approved, it will be subject to the action specified in the AWS > SageMaker > Endpoint Configuration > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigApprovedUsage

Category

AWS > SageMaker > Endpoint Configuration > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Endpoint Configuration > CMDB

Configure whether to record and synchronize details for the AWS SageMaker endpoint configuration into the CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Endpoint Configuration > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Endpoint Configuration > Regions

A list of AWS regions in which AWS SageMaker endpoint configurations are supported for use.

Any endpoint configurations in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Endpoint Configuration > Tags

Determine the action to take when an AWS SageMaker endpoint configuration tags are not updated based on the AWS > SageMaker > Endpoint Configuration > Tags > * policies.

The control ensure AWS SageMaker endpoint configuration tags include tags defined in AWS > SageMaker > Endpoint Configuration > Tags > Template.

Tags not defined in Endpoint Configuration Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > SageMaker > Endpoint Configuration > Tags > Template

The template is used to generate the keys and values for AWS SageMaker endpoint configuration.

Tags not defined in Endpoint Configuration Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/endpointConfigTagsTemplate

Category

AWS > SageMaker > Endpoint Configuration > Tags

Parent

Targets

Default Template Input

[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

AWS > SageMaker > Lifecycle Configuration > Active

Determine the action to take when an AWS SageMaker lifecycle configuration, based on the AWS > SageMaker > Lifecycle Configuration > Active > * policies.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Lifecycle Configuration > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Lifecycle Configuration > Active > Age

The age after which the AWS SageMaker lifecycle configuration is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationActiveAge

Category

AWS > SageMaker > Lifecycle Configuration > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Lifecycle Configuration > Active > Last Modified

The number of days since the AWS SageMaker lifecycle configuration was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationActiveLastModified

Category

AWS > SageMaker > Lifecycle Configuration > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Lifecycle Configuration > Approved

Determine the action to take when an AWS SageMaker lifecycle configuration is not approved based on AWS > SageMaker > Lifecycle Configuration > Approved > * policies.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Lifecycle Configuration > Approved > Regions

A list of AWS regions in which AWS SageMaker lifecycle configurations are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker lifecycle configuration is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Lifecycle Configuration > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationApprovedRegions

Category

AWS > SageMaker > Lifecycle Configuration > Approved

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Lifecycle Configuration > Approved > Usage

Determine whether the AWS SageMaker lifecycle configuration is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker lifecycle configuration is not approved, it will be subject to the action specified in the AWS > SageMaker > Lifecycle Configuration > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationApprovedUsage

Category

AWS > SageMaker > Lifecycle Configuration > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Lifecycle Configuration > CMDB

Configure whether to record and synchronize details for the AWS SageMaker lifecycle configuration into the CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Lifecycle Configuration > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Lifecycle Configuration > Regions

A list of AWS regions in which AWS SageMaker lifecycle configurations are supported for use.

Any lifecycle configurations in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/lifecycleConfigurationRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Model > Active

Determine the action to take when an AWS SageMaker model, based on the AWS > SageMaker > Model > Active > * policies.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Model > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Model > Active > Age

The age after which the AWS SageMaker model is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelActiveAge

Category

AWS > SageMaker > Model > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Model > Active > Last Modified

The number of days since the AWS SageMaker model was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelActiveLastModified

Category

AWS > SageMaker > Model > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Model > Approved

Determine the action to take when an AWS SageMaker model is not approved based on AWS > SageMaker > Model > Approved > * policies.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Model > Approved > Regions

A list of AWS regions in which AWS SageMaker models are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker model is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Model > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelApprovedRegions

Category

AWS > SageMaker > Model > Approved

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Model > Approved > Usage

Determine whether the AWS SageMaker model is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker model is not approved, it will be subject to the action specified in the AWS > SageMaker > Model > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelApprovedUsage

Category

AWS > SageMaker > Model > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Model > CMDB

Configure whether to record and synchronize details for the AWS SageMaker model into the CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Model > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Model > Regions

A list of AWS regions in which AWS SageMaker models are supported for use.

Any models in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Model > Tags

Determine the action to take when an AWS SageMaker model tags are not updated based on the AWS > SageMaker > Model > Tags > * policies.

The control ensure AWS SageMaker model tags include tags defined in AWS > SageMaker > Model > Tags > Template.

Tags not defined in Model Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > SageMaker > Model > Tags > Template

The template is used to generate the keys and values for AWS SageMaker model.

Tags not defined in Model Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/modelTagsTemplate

Category

AWS > SageMaker > Model > Tags

Parent

Targets

Default Template Input

[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

AWS > SageMaker > Notebook Instance > Active

Determine the action to take when an AWS SageMaker notebook instance, based on the AWS > SageMaker > Notebook Instance > Active > * policies.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Notebook Instance > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Stop and delete inactive with 1 day warning",
  "Enforce: Stop and delete inactive with 3 days warning",
  "Enforce: Stop and delete inactive with 7 days warning",
  "Enforce: Stop and delete inactive with 14 days warning",
  "Enforce: Stop and delete inactive with 30 days warning",
  "Enforce: Stop and delete inactive with 60 days warning",
  "Enforce: Stop and delete inactive with 90 days warning",
  "Enforce: Stop and delete inactive with 180 days warning",
  "Enforce: Stop and delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Stop and delete inactive with 1 day warning",
    "Enforce: Stop and delete inactive with 3 days warning",
    "Enforce: Stop and delete inactive with 7 days warning",
    "Enforce: Stop and delete inactive with 14 days warning",
    "Enforce: Stop and delete inactive with 30 days warning",
    "Enforce: Stop and delete inactive with 60 days warning",
    "Enforce: Stop and delete inactive with 90 days warning",
    "Enforce: Stop and delete inactive with 180 days warning",
    "Enforce: Stop and delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Active > Age

The age after which the AWS SageMaker notebook instance is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceActiveAge

Category

AWS > SageMaker > Notebook Instance > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Active > Budget

The impact of the budget state on the active control. This policy allows you to force notebookInstances to inactive based on the current budget state, as reflected in AWS > Account > Budget > State

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceActiveBudget

Category

AWS > SageMaker > Notebook Instance > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Active > Last Modified

The number of days since the AWS SageMaker notebook instance was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceActiveLastModified

Category

AWS > SageMaker > Notebook Instance > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Approved

Determine the action to take when an AWS SageMaker notebook instance is not approved based on AWS > SageMaker > Notebook Instance > Approved > * policies.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Stop unapproved",
  "Enforce: Stop unapproved if new",
  "Enforce: Stop and delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Stop unapproved",
    "Enforce: Stop unapproved if new",
    "Enforce: Stop and delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Approved > Budget

The policy allows you to set notebook instances to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS SageMaker notebook instance is not matched by the approved list, it will be subject to the action specified in the AWS > SageMaker > Notebook Instance > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceApprovedBudget

Category

AWS > SageMaker > Notebook Instance > Approved

Parent

Targets

Valid Value

[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Approved > Regions

A list of AWS regions in which AWS SageMaker notebook instances are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker notebook instance is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Notebook Instance > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceApprovedRegions

Category

AWS > SageMaker > Notebook Instance > Approved

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Notebook Instance > Approved > Usage

Determine whether the AWS SageMaker notebook instance is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker notebook instance is not approved, it will be subject to the action specified in the AWS > SageMaker > Notebook Instance > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceApprovedUsage

Category

AWS > SageMaker > Notebook Instance > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Notebook Instance > CMDB

Configure whether to record and synchronize details for the AWS SageMaker notebook instance into the CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Notebook Instance > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Notebook Instance > Regions

A list of AWS regions in which AWS SageMaker notebook instances are supported for use.

Any notebook instances in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Notebook Instance > Tags

Determine the action to take when an AWS SageMaker notebook instance tags are not updated based on the AWS > SageMaker > Notebook Instance > Tags > * policies.

The control ensure AWS SageMaker notebook instance tags include tags defined in AWS > SageMaker > Notebook Instance > Tags > Template.

Tags not defined in Notebook Instance Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Tags > Template

The template is used to generate the keys and values for AWS SageMaker notebook instance.

Tags not defined in Notebook Instance Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceTagsTemplate

Category

AWS > SageMaker > Notebook Instance > Tags

Parent

Targets

Default Template Input

[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

AWS > SageMaker > Notebook Instance > Usage

Configure the number of AWS SageMaker notebook instances that can be used for this account and the current consumption against the limit.

You can configure the behavior of the control with this AWS > SageMaker > Notebook Instance > Usage policy.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceUsage

Category

Resource > Usage

Parent

Targets

AWS > SageMaker > Notebook Instance > Usage

Valid Value

[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > SageMaker > Notebook Instance > Usage > Limit

Maximum number of items that can be created for this account.

URI

tmod:@turbot/aws-sagemaker#/policy/types/notebookInstanceUsageLimit

Category

Resource > Usage

Parent

Targets

Schema

{
  "type": "integer",
  "minimum": 0,
  "default": 20
}

AWS > SageMaker > Permissions

Configure whether permissions policies are in effect for AWS SageMaker.

This setting does not affect account level permissions (AWS/Admin, AWS/Owner, etc)

Note: The behavior of this policy depends on the value of AWS > Permissions.

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerPermissions

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled",
  "Enabled if AWS > SageMaker > Enabled & AWS > SageMaker > API Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if AWS > SageMaker > Enabled & AWS > SageMaker > API Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled if AWS > SageMaker > Enabled & AWS > SageMaker > API Enabled"
}

AWS > SageMaker > Permissions > Levels

Define the permissions levels that can be used to grant access to an AWS account. Permissions levels defined will appear in the UI to assign access to Turbot users. This policy provides a default for Permissions > Levels in each service, however you can explicitly override the setting for each service if desired

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerPermissionsLevels

Category

AWS > SageMaker > Permissions

Parent

Targets

Default Template Input

[
  "{\n  item: account {\n    turbot{\n      id\n    }\n  }\n}\n",
  "{\n  availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n    items {\n      value\n    }\n  }\n}\n"
]

Default Template

"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "Metadata",
      "ReadOnly",
      "Operator",
      "Admin",
      "Owner"
    ]
  }
}

AWS > SageMaker > Permissions > Levels > Modifiers

A map of AWS API to Turbot Permission Level used to customize Turbot's standard permissions. You can add, remove or redefine the mapping of AWS API operations to Turbot permissions levels here.

Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also added to ReadOnly, Operator and Admin. Modifier policies set here apply ONLY to the AWS level

example:
  - &quot;glacier:createvault&quot;: admin
  - &quot;glacier:ListVaults&quot;: metadata
  - &quot;s3:DeleteBucket&quot;: none

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerPermissionsLevelsModifiers

Category

AWS > SageMaker > Permissions > Levels

Parent

Targets

aws-iam#/definitions/awsModifierList

Schema

AWS > SageMaker > Permissions > Lockdown

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerPermissionsLockdown

Category

AWS > SageMaker > Permissions

Parent

Targets

AWS > SageMaker > Permissions > Lockdown > API Boundary

Configure whether the AWS sageMaker API is enabled for all users and roles in turbot-managed boundary policies.

Note: Disabling the service disables the API for ALL users and roles, and Turbot will have no access to the API.

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerPermissionsLockdownApiBoundary

Category

AWS > SageMaker > Permissions > Lockdown

Parent

Targets

Valid Value

[
  "Enabled if AWS > SageMaker > API Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled if AWS > SageMaker > API Enabled"
  ],
  "example": [
    "Enabled if AWS > SageMaker > API Enabled"
  ],
  "default": "Enabled if AWS > SageMaker > API Enabled"
}

AWS > SageMaker > Regions

A list of AWS regions in which AWS SageMaker resources are supported for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy is the default value for all AWS SageMaker resources' Regions policies.

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerRegionsDefault

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "cn-north-1",
        "cn-northwest-1",
        "eu-central-1",
        "eu-north-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > SageMaker > Tags Template [Default]

A template used to generate the keys and values for AWS SageMaker resources.

By default, all SageMaker resource Tags > Template policies will use this value.

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerTagsTemplate

Category

Parent

Targets

Default Template Input

"{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws#/policy/types/defaultTagsTemplate\") {\n    value\n  }\n}\n"

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

AWS > SageMaker > Training Job > Active

Determine the action to take when an AWS SageMaker training job, based on the AWS > SageMaker > Training Job > Active > * policies.

The Active control checks the status of all defined Active policies for the resource (AWS > SageMaker > Training Job > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > SageMaker > Training Job > Active > Age

The age after which the AWS SageMaker training job is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobActiveAge

Category

AWS > SageMaker > Training Job > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Training Job > Active > Last Modified

The number of days since the AWS SageMaker training job was last modified before it is considered inactive.

See Active for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobActiveLastModified

Category

AWS > SageMaker > Training Job > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > SageMaker > Training Job > Approved

Determine the action to take when an AWS SageMaker training job is not approved based on AWS > SageMaker > Training Job > Approved > * policies.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > SageMaker > Training Job > Approved > Regions

A list of AWS regions in which AWS SageMaker training jobs are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS SageMaker training job is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > SageMaker > Training Job > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobApprovedRegions

Category

AWS > SageMaker > Training Job > Approved

Parent

Targets

Default Template Input

"{\n  regions: policy(uri: \"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerApprovedRegionsDefault\")\n}\n"

Default Template

"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Training Job > Approved > Usage

Determine whether the AWS SageMaker training job is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS SageMaker training job is not approved, it will be subject to the action specified in the AWS > SageMaker > Training Job > Approved policy.

See Approved for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobApprovedUsage

Category

AWS > SageMaker > Training Job > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if AWS > SageMaker > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > SageMaker > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > SageMaker > Enabled"
}

AWS > SageMaker > Training Job > CMDB

Configure whether to record and synchronize details for the AWS SageMaker training job into the CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SageMaker > Training Job > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > SageMaker > Training Job > Regions

A list of AWS regions in which AWS SageMaker training jobs are supported for use.

Any training jobs in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"

Schema

AWS > SageMaker > Training Job > Tags

Determine the action to take when an AWS SageMaker training job tags are not updated based on the AWS > SageMaker > Training Job > Tags > * policies.

The control ensure AWS SageMaker training job tags include tags defined in AWS > SageMaker > Training Job > Tags > Template.

Tags not defined in Training Job Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > SageMaker > Training Job > Tags > Template

The template is used to generate the keys and values for AWS SageMaker training job.

Tags not defined in Training Job Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/aws-sagemaker#/policy/types/trainingJobTagsTemplate

Category

AWS > SageMaker > Training Job > Tags

Parent

Targets

Default Template Input

[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-sagemaker#/policy/types/sageMakerTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

AWS > Turbot > Event Handlers > Events > Rules > Event Sources

AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-sagemaker

AWS SageMaker CloudWatch Events event sources for the Turbot Event Handlers.

URI

tmod:@turbot/aws-sagemaker#/policy/types/sageMakerEventSources

Category

Resource > Configured

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "aws.sagemaker"
  ]
}

AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-sagemaker

A read-only policy generated by Turbot that lists the APIs that should be added to the turbot-managed (hard) boundary policy, thereby enabling them to be assigned to users and roles. This value will change depending on the value of the value of the AWS > SageMaker > Permissions > Lockdown > API Boundary policy

URI

tmod:@turbot/aws-sagemaker#/policy/types/awsCompiledApiBoundary

Category

AWS > Turbot > Permissions > Compiled > API Boundary

Parent

Targets

Schema

{
  "type": "array"
}

AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-sagemaker

A calculated policy that Turbot uses to create a compiled list of ALL permissions for AWS SageMaker that is used as input to the stack that manages the Turbot IAM permissions objects.

URI

tmod:@turbot/aws-sagemaker#/policy/types/awsLevelsCompiled

Category

AWS > Turbot > Permissions > Compiled > Levels

Parent

Targets

aws-iam#/definitions/awsLevelDefinitionList

Schema

AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-sagemaker

A calculated policy that Turbot uses to create a compiled list of ALL permissions for AWS SageMaker that is used as input to the control that manages the IAM stack.

URI

tmod:@turbot/aws-sagemaker#/policy/types/awsCompiledServicePermissions

Category

AWS > Turbot > Permissions > Compiled > Service Permissions

Parent

Targets