Product logo
DocsBlogPricing

Control types for @turbot/aws-ssm

AWS > SSM > Association > Active

Take an action when an AWS SSM association is not active based on the AWS > SSM > Association > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > SSM > Association > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-ssm#/control/types/associationActive
Parent
Category
Targets

AWS > SSM > Association > Approved

Take an action when an AWS SSM association is not approved based on AWS > SSM > Association > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-ssm#/control/types/associationApproved
Parent
Category
Targets

AWS > SSM > Association > CMDB

Record and synchronize details for the AWS SSM association into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SSM > Association > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

URI
tmod:@turbot/aws-ssm#/control/types/associationCmdb
Parent
Category
Targets

AWS > SSM > Association > Configured

Maintain AWS > SSM > Association configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it.

URI
tmod:@turbot/aws-ssm#/control/types/associationConfigured
Parent
Category
Targets

AWS > SSM > Association > Discovery

Discover all AWS SSM association resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > SSM > Association > Regions policy, the CMDB control will delete the resource from the CMDB.

URI
tmod:@turbot/aws-ssm#/control/types/associationDiscovery
Parent
Category
Targets

AWS > SSM > Association > Usage

The Usage control determines whether the number of AWS SSM association resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > SSM > Association > Usage policy, and set the limit with the AWS > SSM > Association > Usage > Limit policy.

URI
tmod:@turbot/aws-ssm#/control/types/associationUsage
Parent
Category
Targets

AWS > SSM > Document > Active

Take an action when an AWS SSM document is not active based on the AWS > SSM > Document > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > SSM > Document > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-ssm#/control/types/documentActive
Parent
Category
Targets

AWS > SSM > Document > Approved

Take an action when an AWS SSM document is not approved based on AWS > SSM > Document > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-ssm#/control/types/documentApproved
Parent
Category
Targets

AWS > SSM > Document > CMDB

Record and synchronize details for the AWS SSM document into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SSM > Document > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

URI
tmod:@turbot/aws-ssm#/control/types/documentCmdb
Parent
Category
Targets

AWS > SSM > Document > Configured

Maintain AWS > SSM > Document configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it.

URI
tmod:@turbot/aws-ssm#/control/types/documentConfigured
Parent
Category
Targets

AWS > SSM > Document > Discovery

Discover all AWS SSM document resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > SSM > Document > Regions policy, the CMDB control will delete the resource from the CMDB.

URI
tmod:@turbot/aws-ssm#/control/types/documentDiscovery
Parent
Category
Targets

AWS > SSM > Document > Tags

Take an action when an AWS SSM document tags is not updated based on the AWS > SSM > Document > Tags > * policies.

If the resource is not updated with the tags defined in AWS > SSM > Document > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

URI
tmod:@turbot/aws-ssm#/control/types/documentTags
Parent
Category
Targets

AWS > SSM > Document > Usage

The Usage control determines whether the number of AWS SSM document resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > SSM > Document > Usage policy, and set the limit with the AWS > SSM > Document > Usage > Limit policy.

URI
tmod:@turbot/aws-ssm#/control/types/documentUsage
Parent
Category
Targets

AWS > SSM > Inventory Management

Configure the set of resources in a Turbot stack per the Inventory Association policy.

URI
tmod:@turbot/aws-ssm#/control/types/inventoryManagement
Parent
Category
Targets

AWS > SSM > Maintenance Window > Active

Take an action when an AWS SSM maintenance window is not active based on the AWS > SSM > Maintenance Window > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > SSM > Maintenance Window > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-ssm#/control/types/maintenanceWindowActive
Parent
Category
Targets

AWS > SSM > Maintenance Window > Approved

Take an action when an AWS SSM maintenance window is not approved based on AWS > SSM > Maintenance Window > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-ssm#/control/types/maintenanceWindowApproved
Parent
Category
Targets

AWS > SSM > Maintenance Window > CMDB

Record and synchronize details for the AWS SSM maintenance window into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SSM > Maintenance Window > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

URI
tmod:@turbot/aws-ssm#/control/types/maintenanceWindowCmdb
Parent
Category
Targets

AWS > SSM > Maintenance Window > Configured

Maintain AWS > SSM > Maintenance Window configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it.

URI
tmod:@turbot/aws-ssm#/control/types/maintenanceWindowConfigured
Parent
Category
Targets

AWS > SSM > Maintenance Window > Discovery

Discover all AWS SSM maintenance window resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > SSM > Maintenance Window > Regions policy, the CMDB control will delete the resource from the CMDB.

URI
tmod:@turbot/aws-ssm#/control/types/maintenanceWindowDiscovery
Parent
Category
Targets

AWS > SSM > Maintenance Window > Tags

Take an action when an AWS SSM maintenance window tags is not updated based on the AWS > SSM > Maintenance Window > Tags > * policies.

If the resource is not updated with the tags defined in AWS > SSM > Maintenance Window > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

URI
tmod:@turbot/aws-ssm#/control/types/maintenanceWindowTags
Parent
Category
Targets

AWS > SSM > Maintenance Window > Usage

The Usage control determines whether the number of AWS SSM maintenance window resources exceeds the configured usage limit for this account.

You can configure the behavior of this control with the AWS > SSM > Maintenance Window > Usage policy, and set the limit with the AWS > SSM > Maintenance Window > Usage > Limit policy.

URI
tmod:@turbot/aws-ssm#/control/types/maintenanceWindowUsage
Parent
Category
Targets

AWS > SSM > Managed Instance > CMDB

Record and synchronize details for the AWS SSM managed instance into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SSM > Managed Instance > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

This control will automatically re-run every 24 hours because AWS does not currently support real-time events for all properties of this resource type.

URI
tmod:@turbot/aws-ssm#/control/types/managedInstanceCmdb
Parent
Category
Targets

AWS > SSM > Managed Instance > Discovery

Discover all AWS SSM managed instance resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > SSM > Managed Instance > Regions policy, the CMDB control will delete the resource from the CMDB.

This control will automatically re-run every 24 hours because AWS does not currently support real-time events for all properties of this resource type.

URI
tmod:@turbot/aws-ssm#/control/types/managedInstanceDiscovery
Parent
Category
Targets

AWS > SSM > Parameter > Active

Take an action when an AWS SSM parameter is not active based on the AWS > SSM > Parameter > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > SSM > Parameter > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-ssm#/control/types/ssmParameterActive
Parent
Category
Targets

AWS > SSM > Parameter > Approved

Take an action when an AWS SSM parameter is not approved based on AWS > SSM > Parameter > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-ssm#/control/types/ssmParameterApproved
Parent
Category
Targets

AWS > SSM > Parameter > CMDB

Record and synchronize details for the AWS SSM parameter into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > SSM > Parameter > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

URI
tmod:@turbot/aws-ssm#/control/types/ssmParameterCmdb
Parent
Category
Targets

AWS > SSM > Parameter > Discovery

Discover all AWS SSM parameter resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > SSM > Parameter > Regions policy, the CMDB control will delete the resource from the CMDB.

URI
tmod:@turbot/aws-ssm#/control/types/ssmParameterDiscovery
Parent
Category
Targets

AWS > SSM > Parameter > Encryption at Rest

Define the Encryption at Rest settings required for AWS > SSM > Parameter.

Encryption at Rest refers specifically to the encryption of data when written to an underlying storage system. This control determines whether the resource is encrypted at rest, and sets encryption to your desired level.

The Encryption at Rest control compares the encryption settings against the encryption policies for the resource (AWS > SSM > Parameter > Encryption at Rest > *), raises an alarm, and takes the defined enforcement action.

URI
tmod:@turbot/aws-ssm#/control/types/ssmParameterEncryptionAtRest
Parent
Category
Targets

AWS > SSM > Parameter > Tags

Take an action when an AWS SSM parameter tags is not updated based on the AWS > SSM > Parameter > Tags > * policies.

If the resource is not updated with the tags defined in AWS > SSM > Parameter > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

URI
tmod:@turbot/aws-ssm#/control/types/ssmParameterTags
Parent
Category
Targets

AWS > SSM > Parameter > Usage

The Usage control determines whether the number of AWS SSM parameter resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > SSM > Parameter > Usage policy, and set the limit with the AWS > SSM > Parameter > Usage > Limit policy.

URI
tmod:@turbot/aws-ssm#/control/types/ssmParameterUsage
Parent
Category
Targets

AWS > SSM > Stack

Configure a custom stack on AWS, per the custom Stack > Source.

A Turbot Stack is a set of resources configured by Turbot, as specified via Terraform source. Stacks are responsible for the creation and deletion of multiple resources. Once created, stack resources are responsible for configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws-ssm#/control/types/ssmStack
Parent
Category
Targets