The aws-vpc-core mod contains resource, control and policy definitions for AWS VPC service.
Resource Types
Resource types covered by this mod:
- AWS > VPC
- AWS > VPC > DHCP Options
- AWS > VPC > Route
- AWS > VPC > Route Table
- AWS > VPC > Subnet
- AWS > VPC > VPC
Permissions
Taking a look at permissions and associated grant levels for each permission for VPC:
| Permission | Grant Level | Help |
|---|---|---|
| acm:ListCertificates | Metadata | |
| ec2:AcceptTransitGatewayMulticastDomainAssociations | Admin | |
| ec2:AcceptTransitGatewayPeeringAttachment | Admin | |
| ec2:AcceptTransitGatewayVpcAttachment | Admin | |
| ec2:AcceptVpcEndpointConnections | Whitelist | |
| ec2:AcceptVpcPeeringConnection | Whitelist | |
| ec2:AdvertiseByoipCidr | Admin | |
| ec2:AllocateAddress | Admin | Admins can allocate new elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
| ec2:AllocateIpamPoolCidr | Admin | |
| ec2:ApplySecurityGroupsToClientVpnTargetNetwork | Admin | |
| ec2:AssociateAddress | Admin | Admins can associate elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
| ec2:AssociateClientVpnTargetNetwork | Admin | |
| ec2:AssociateDhcpOptions | Whitelist | |
| ec2:AssociateRouteTable | Whitelist | |
| ec2:AssociateSubnetCidrBlock | Whitelist | |
| ec2:AssociateTransitGatewayMulticastDomain | Admin | |
| ec2:AssociateTransitGatewayRouteTable | Admin | |
| ec2:AssociateVpcCidrBlock | Whitelist | |
| ec2:AttachClassicLinkVpc | Admin | |
| ec2:AttachInternetGateway | Whitelist | |
| ec2:AttachVpnGateway | Whitelist | |
| ec2:AuthorizeClientVpnIngress | Admin | |
| ec2:AuthorizeSecurityGroupEgress | Whitelist | |
| ec2:AuthorizeSecurityGroupIngress | Whitelist | |
| ec2:AuthorizeSecurityGroupEgress | Whitelist | |
| ec2:AuthorizeSecurityGroupIngress | Whitelist | |
| ec2:CreateCarrierGateway | Admin | |
| ec2:CreateClientVpnEndpoint | Admin | |
| ec2:CreateClientVpnRoute | Admin | |
| ec2:CreateCustomerGateway | Whitelist | |
| ec2:CreateDefaultSubnet | Whitelist | |
| ec2:CreateDefaultVpc | Whitelist | |
| ec2:CreateDhcpOptions | Whitelist | |
| ec2:CreateEgressOnlyInternetGateway | Whitelist | |
| ec2:CreateFlowLogs | Whitelist | |
| ec2:CreateInternetGateway | Whitelist | |
| ec2:CreateIpam | Admin | |
| ec2:CreateIpamPool | Admin | |
| ec2:CreateIpamScope | Admin | |
| ec2:CreateLocalGatewayRoute | Admin | |
| ec2:CreateLocalGatewayRouteTableVpcAssociation | Admin | |
| ec2:CreateNatGateway | Whitelist | |
| ec2:CreateNetworkAcl | Whitelist | |
| ec2:CreateNetworkAclEntry | Whitelist | |
| ec2:CreateNetworkInsightsPath | Admin | |
| ec2:CreateNetworkInsightsAccessScope | Admin | |
| ec2:CreatePublicIpv4Pool | Admin | |
| ec2:CreateRoute | Whitelist | |
| ec2:CreateRoute | Whitelist | |
| ec2:CreateRouteTable | Whitelist | |
| ec2:CreateSecurityGroup | Whitelist | |
| ec2:CreateSubnet | Whitelist | |
| ec2:CreateSubnetCidrReservation | Admin | |
| ec2:CreateTags | Operator | Tags are low risk for management in Turbot since accounts are the isolation boundary; not tags. |
| ec2:CreateTrafficMirrorFilter | Admin | |
| ec2:CreateTrafficMirrorFilterRule | Admin | |
| ec2:CreateTrafficMirrorSession | Admin | |
| ec2:CreateTrafficMirrorTarget | Admin | |
| ec2:CreateTransitGateway | Admin | |
| ec2:CreateTransitGatewayConnect | Admin | |
| ec2:CreateTransitGatewayConnectPeer | Admin | |
| ec2:CreateTransitGatewayMulticastDomain | Admin | |
| ec2:CreateTransitGatewayPeeringAttachment | Admin | |
| ec2:CreateTransitGatewayPrefixListReference | Admin | |
| ec2:CreateTransitGatewayRoute | Admin | |
| ec2:CreateTransitGatewayRouteTable | Admin | |
| ec2:CreateTransitGatewayVpcAttachment | Admin | |
| ec2:CreateTransitGatewayVpcAttachment | Admin | |
| ec2:CreateVpc | Whitelist | |
| ec2:CreateVpcEndpoint | Whitelist | |
| ec2:CreateVpcEndpointConnectionNotification | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
| ec2:CreateVpcEndpointServiceConfiguration | Whitelist | Allows cross-account access. |
| ec2:CreateVpcPeeringConnection | Whitelist | |
| ec2:CreateVpnConnection | Whitelist | |
| ec2:CreateVpnConnectionRoute | Whitelist | |
| ec2:CreateVpnGateway | Whitelist | |
| ec2:DeleteCarrierGateway | Admin | |
| ec2:DeleteClientVpnEndpoint | Admin | |
| ec2:DeleteClientVpnRoute | Admin | |
| ec2:DeleteCustomerGateway | Whitelist | |
| ec2:DeleteDhcpOptions | Whitelist | |
| ec2:DeleteEgressOnlyInternetGateway | Whitelist | |
| ec2:DeleteFlowLogs | Whitelist | |
| ec2:DeleteInternetGateway | Whitelist | |
| ec2:DeleteIpam | Admin | |
| ec2:DeleteIpamPool | Admin | |
| ec2:DeleteIpamScope | Admin | |
| ec2:DeleteLocalGatewayRoute | Admin | |
| ec2:DeleteLocalGatewayRouteTableVpcAssociation | Admin | |
| ec2:DeleteNatGateway | Whitelist | |
| ec2:DeleteNetworkAcl | Whitelist | |
| ec2:DeleteNetworkAclEntry | Whitelist | |
| ec2:DeleteNetworkInsightsAnalysis | Admin | |
| ec2:DeleteNetworkInsightsAccessScope | Admin | |
| ec2:DeleteNetworkInsightsAccessScopeAnalysis | Admin | |
| ec2:DeleteNetworkInsightsPath | Admin | |
| ec2:DeletePublicIpv4Pool | Admin | |
| ec2:DeleteRoute | Whitelist | |
| ec2:DeleteRoute | Whitelist | |
| ec2:DeleteRouteTable | Whitelist | |
| ec2:DeleteSecurityGroup | Whitelist | |
| ec2:DeleteSubnet | Whitelist | |
| ec2:DeleteSubnetCidrReservation | Admin | |
| ec2:DeleteTags | Operator | Tags are low risk for management in Turbot since accounts are the isolation boundary; not tags. Most deletions are denied to operator but tags are a low risk management activity even for deletion. |
| ec2:DeleteTrafficMirrorFilter | Admin | |
| ec2:DeleteTrafficMirrorFilterRule | Admin | |
| ec2:DeleteTrafficMirrorSession | Admin | |
| ec2:DeleteTrafficMirrorTarget | Admin | |
| ec2:DeleteTransitGateway | Admin | |
| ec2:DeleteTransitGatewayConnect | Admin | |
| ec2:DeleteTransitGatewayConnectPeer | Admin | |
| ec2:DeleteTransitGatewayMulticastDomain | Admin | |
| ec2:DeleteTransitGatewayPeeringAttachment | Admin | |
| ec2:DeleteTransitGatewayPrefixListReference | Admin | |
| ec2:DeleteTransitGatewayRoute | Admin | |
| ec2:DeleteTransitGatewayRouteTable | Admin | |
| ec2:DeleteTransitGatewayVpcAttachment | Admin | |
| ec2:DeleteTransitGatewayVpcAttachment | Admin | |
| ec2:DeleteVpc | Whitelist | |
| ec2:DeleteVpcEndpointConnectionNotifications | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
| ec2:DeleteVpcEndpointServiceConfigurations | Whitelist | Allows cross-account access. |
| ec2:DeleteVpcEndpoints | Whitelist | |
| ec2:DeleteVpcPeeringConnection | Whitelist | |
| ec2:DeleteVpnConnection | Whitelist | |
| ec2:DeleteVpnConnectionRoute | Whitelist | |
| ec2:DeleteVpnGateway | Whitelist | |
| ec2:DeprovisionByoipCidr | Admin | |
| ec2:DeprovisionIpamPoolCidr | Admin | |
| ec2:DeprovisionPublicIpv4PoolCidr | Admin | |
| ec2:DeregisterTransitGatewayMulticastGroupMembers | Admin | |
| ec2:DeregisterTransitGatewayMulticastGroupSources | Admin | |
| ec2:DescribeAddresses | Metadata | |
| ec2:DescribeAggregateIdFormat | Metadata | |
| ec2:DescribeByoipCidrs | Metadata | |
| ec2:DescribeClientVpnAuthorizationRules | Metadata | |
| ec2:DescribeClientVpnConnections | Metadata | |
| ec2:DescribeClientVpnEndpoints | Metadata | |
| ec2:DescribeClientVpnRoutes | Metadata | |
| ec2:DescribeClientVpnTargetNetworks | Metadata | |
| ec2:DescribeCoipPools | Metadata | |
| ec2:DescribeCustomerGateways | Metadata | |
| ec2:DescribeDhcpOptions | Metadata | |
| ec2:DescribeEgressOnlyInternetGateways | Metadata | |
| ec2:DescribeFlowLogs | Metadata | |
| ec2:DescribeInternetGateways | Metadata | |
| ec2:DescribeIpamPools | Metadata | |
| ec2:DescribeIpamScopes | Metadata | |
| ec2:DescribeIpams | Metadata | |
| ec2:DescribeIpv6Pools | Metadata | |
| ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Metadata | |
| ec2:DescribeLocalGatewayRouteTableVpcAssociations | Metadata | |
| ec2:DescribeLocalGatewayRouteTables | Metadata | |
| ec2:DescribeLocalGatewayVirtualInterfaceGroups | Metadata | |
| ec2:DescribeLocalGatewayVirtualInterfaces | Metadata | |
| ec2:DescribeLocalGateways | Metadata | |
| ec2:DescribeManagedPrefixLists | Metadata | |
| ec2:DescribeMovingAddresses | Metadata | |
| ec2:DescribeNatGateways | Metadata | |
| ec2:DescribeNetworkAcls | Metadata | |
| ec2:DescribeNetworkInsightsAccessScopeAnalyses | Metadata | |
| ec2:DescribeNetworkInsightsAccessScopes | Metadata | |
| ec2:DescribeNetworkInsightsAnalyses | Metadata | |
| ec2:DescribeNetworkInsightsPaths | Metadata | |
| ec2:DescribeNetworkInterfaces | Metadata | |
| ec2:DescribePrefixLists | Metadata | |
| ec2:DescribePrincipalIdFormat | Metadata | |
| ec2:DescribePublicIpv4Pools | Metadata | |
| ec2:DescribeRouteTables | Metadata | |
| ec2:DescribeSecurityGroupReferences | Metadata | |
| ec2:DescribeSecurityGroupRules | Metadata | |
| ec2:DescribeSecurityGroups | Metadata | |
| ec2:DescribeStaleSecurityGroups | Metadata | |
| ec2:DescribeSubnets | Metadata | |
| ec2:DescribeTags | Metadata | |
| ec2:DescribeTrafficMirrorFilters | Metadata | |
| ec2:DescribeTrafficMirrorSessions | Metadata | |
| ec2:DescribeTrafficMirrorTargets | Metadata | |
| ec2:DescribeTransitGatewayAttachments | Metadata | |
| ec2:DescribeTransitGatewayConnectPeers | Metadata | |
| ec2:DescribeTransitGatewayConnects | Metadata | |
| ec2:DescribeTransitGatewayMulticastDomains | Metadata | |
| ec2:DescribeTransitGatewayPeeringAttachments | Metadata | |
| ec2:DescribeTransitGatewayRouteTables | Metadata | |
| ec2:DescribeTransitGatewayVpcAttachments | Metadata | |
| ec2:DescribeTransitGateways | Metadata | |
| ec2:DescribeTrunkInterfaceAssociations | Metadata | |
| ec2:DescribeVpcAttribute | Metadata | |
| ec2:DescribeVpcClassicLink | Metadata | |
| ec2:DescribeVpcClassicLinkDnsSupport | Metadata | |
| ec2:DescribeVpcEndpointConnectionNotifications | Metadata | |
| ec2:DescribeVpcEndpointConnections | Metadata | |
| ec2:DescribeVpcEndpointServiceConfigurations | Metadata | |
| ec2:DescribeVpcEndpointServicePermissions | Metadata | |
| ec2:DescribeVpcEndpointServices | Metadata | |
| ec2:DescribeVpcEndpoints | Metadata | |
| ec2:DescribeVpcPeeringConnection | Metadata | |
| ec2:DescribeVpcPeeringConnections | Metadata | |
| ec2:DescribeVpcs | Metadata | |
| ec2:DescribeVpnConnections | Metadata | |
| ec2:DescribeVpnGateways | Metadata | |
| ec2:DetachInternetGateway | Whitelist | |
| ec2:DetachVpnGateway | Whitelist | |
| ec2:DisableIpamOrganizationAdminAccount | Admin | |
| ec2:DisableTransitGatewayRouteTablePropagation | Admin | |
| ec2:DisableVgwRoutePropagation | Whitelist | |
| ec2:DisableVpcClassicLink | None | EC2 classic should not be used |
| ec2:DisableVpcClassicLinkDnsSupport | None | EC2 classic should not be used |
| ec2:DisassociateAddress | Admin | Admins can disassociate elastic IP addresses. |
| ec2:DisassociateClientVpnTargetNetwork | Admin | |
| ec2:DisassociateRouteTable | Whitelist | |
| ec2:DisassociateSubnetCidrBlock | Whitelist | |
| ec2:DisassociateTransitGatewayRouteTable | Admin | |
| ec2:DisassociateVpcCidrBlock | Whitelist | |
| ec2:DisassociateTransitGatewayMulticastDomain | Admin | |
| ec2:EnableIpamOrganizationAdminAccount | Admin | |
| ec2:EnableTransitGatewayRouteTablePropagation | Admin | |
| ec2:EnableVgwRoutePropagation | Whitelist | |
| ec2:EnableVpcClassicLink | None | EC2 classic should not be used |
| ec2:EnableVpcClassicLinkDnsSupport | None | EC2 classic should not be used |
| ec2:ExportClientVpnClientCertificateRevocationList | Admin | |
| ec2:ExportClientVpnClientConfiguration | Admin | |
| ec2:ExportTransitGatewayRoutes | Admin | |
| ec2:GetAssociatedIpv6PoolCidrs | Metadata | |
| ec2:GetCapacityReservationUsage | Metadata | |
| ec2:GetCoipPoolUsage | Metadata | |
| ec2:GetFlowLogsIntegrationTemplate | Metadata | |
| ec2:GetIpamAddressHistory | Metadata | |
| ec2:GetIpamPoolAllocations | Metadata | |
| ec2:GetIpamPoolCidrs | Metadata | |
| ec2:GetIpamResourceCidrs | Metadata | |
| ec2:GetManagedPrefixListAssociations | Metadata | |
| ec2:GetManagedPrefixListEntries | Metadata | |
| ec2:GetNetworkInsightsAccessScopeAnalysisFindings | Metadata | |
| ec2:GetNetworkInsightsAccessScopeContent | Metadata | |
| ec2:GetSubnetCidrReservations | Metadata | |
| ec2:GetTransitGatewayAttachmentPropagations | Metadata | |
| ec2:GetTransitGatewayMulticastDomainAssociations | Metadata | |
| ec2:GetTransitGatewayPrefixListReferences | Metadata | |
| ec2:GetTransitGatewayRouteTableAssociations | Metadata | |
| ec2:GetTransitGatewayRouteTablePropagations | Metadata | |
| ec2:GetVpnConnectionDeviceSampleConfiguration | Metadata | |
| ec2:GetVpnConnectionDeviceTypes | Metadata | |
| ec2:ImportClientVpnClientCertificateRevocationList | Admin | |
| ec2:ModifyAddressAttribute | Admin | |
| ec2:ModifyCapacityReservation | Admin | |
| ec2:ModifyClientVpnEndpoint | Admin | |
| ec2:ModifyIpam | Admin | |
| ec2:ModifyIpamPool | Admin | |
| ec2:ModifyIpamResourceCidr | Admin | |
| ec2:ModifyIpamScope | Admin | |
| ec2:ModifyManagedPrefixList | Admin | |
| ec2:ModifySecurityGroupRules | Whitelist | |
| ec2:ModifySubnetAttribute | Whitelist | |
| ec2:ModifyTrafficMirrorFilterNetworkServices | Admin | |
| ec2:ModifyTrafficMirrorFilterRule | Admin | |
| ec2:ModifyTrafficMirrorSession | Admin | |
| ec2:ModifyTransitGateway | Admin | |
| ec2:ModifyTransitGatewayPrefixListReference | Admin | |
| ec2:ModifyTransitGatewayVpcAttachment | Admin | |
| ec2:ModifyVpcAttribute | Whitelist | |
| ec2:ModifyVpcEndpoint | Whitelist | |
| ec2:ModifyVpcEndpointConnectionNotification | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
| ec2:ModifyVpcEndpointServiceConfiguration | Whitelist | Allows cross-account access. |
| ec2:ModifyVpcEndpointServicePermissions | Whitelist | Allows cross-account access. |
| ec2:ModifyVpcPeeringConnectionOptions | Whitelist | |
| ec2:ModifyVpcTenancy | Whitelist | |
| ec2:ModifyVpnConnection | Admin | Allows to create the transit gateway attachment via vpn connection. |
| ec2:ModifyVpnConnection | Admin | |
| ec2:ModifyVpnConnectionOptions | Admin | |
| ec2:ModifyVpnTunnelCertificate | Admin | |
| ec2:ModifyVpnTunnelOptions | Admin | |
| ec2:MoveAddressToVpc | None | EC2 classic should not be used |
| ec2:MoveByoipCidrToIpam | Admin | |
| ec2:ProvisionByoipCidr | Admin | |
| ec2:ProvisionIpamPoolCidr | Admin | |
| ec2:ProvisionPublicIpv4PoolCidr | Admin | |
| ec2:RegisterTransitGatewayMulticastGroupMembers | Admin | |
| ec2:RegisterTransitGatewayMulticastGroupSources | Admin | |
| ec2:RejectTransitGatewayMulticastDomainAssociations | Admin | |
| ec2:RejectTransitGatewayPeeringAttachment | Admin | |
| ec2:RejectTransitGatewayVpcAttachment | Admin | |
| ec2:RejectVpcEndpointConnections | Whitelist | |
| ec2:RejectVpcPeeringConnection | Whitelist | |
| ec2:ReleaseAddress | Admin | Admins can release elastic IP addresses. |
| ec2:ReleaseIpamPoolAllocation | Admin | |
| ec2:ReplaceNetworkAclAssociation | Whitelist | |
| ec2:ReplaceNetworkAclEntry | Whitelist | |
| ec2:ReplaceRoute | Whitelist | |
| ec2:ReplaceRouteTableAssociation | Whitelist | |
| ec2:ReplaceTransitGatewayRoute | Admin | |
| ec2:ResetAddressAttribute | Admin | |
| ec2:RestoreAddressToClassic | None | EC2 classic should not be used |
| ec2:RestoreManagedPrefixListVersion | Admin | |
| ec2:RevokeClientVpnIngress | Admin | |
| ec2:RevokeSecurityGroupEgress | Whitelist | |
| ec2:RevokeSecurityGroupIngress | Whitelist | |
| ec2:RevokeSecurityGroupEgress | Whitelist | |
| ec2:RevokeSecurityGroupIngress | Whitelist | |
| ec2:SearchLocalGatewayRoutes | Metadata | |
| ec2:SearchTransitGatewayMulticastGroups | Metadata | |
| ec2:SearchTransitGatewayRoutes | Metadata | |
| ec2:StartNetworkInsightsAnalysis | Admin | |
| ec2:StartNetworkInsightsAccessScopeAnalysis | Admin | |
| ec2:StartVpcEndpointServicePrivateDnsVerification | Admin | |
| ec2:TerminateClientVpnConnections | Admin | |
| ec2:UpdateSecurityGroupRuleDescriptionsEgress | Whitelist | Admin can update the description field only. |
| ec2:UpdateSecurityGroupRuleDescriptionsIngress | Whitelist | Admin can update the description field only. |
| ec2:WithdrawByoipCidr | Admin | |
| elasticloadbalancing:DescribeLoadBalancers | Metadata | |
| logs:DescribeLogGroups | Metadata | |
| logs:DescribeLogStreams | Metadata | |
| ram:GetResourceShareAssociations | Metadata | |
| tiros:CreateQuery | Admin | |
| tiros:GetQueryAnswer | Metadata | |
| tiros:GetQueryExplanation | Metadata |
Learn More About Turbot
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Version
5.16.0
Released On
Jun 06, 2023
Depends On
@turbot/aws ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/aws-ec2 ^5.0.0
@turbot/aws-kms ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/aws-ec2 ^5.0.0
@turbot/aws-kms ^5.0.0
Resource Types
- AWS > VPC
- AWS > VPC > DHCP Options
- AWS > VPC > Route
- AWS > VPC > Route Table
- AWS > VPC > Subnet
- AWS > VPC > VPC
Control Types
- AWS > VPC > DHCP Options > Active
- AWS > VPC > DHCP Options > Approved
- AWS > VPC > DHCP Options > CMDB
- AWS > VPC > DHCP Options > Configured
- AWS > VPC > DHCP Options > Discovery
- AWS > VPC > DHCP Options > Tags
- AWS > VPC > DHCP Options > Usage
- AWS > VPC > Default VPC
- AWS > VPC > Default VPC > Approved
- AWS > VPC > Route > CMDB
- AWS > VPC > Route > Configured
- AWS > VPC > Route > Discovery
- AWS > VPC > Route Table > Active
- AWS > VPC > Route Table > Approved
- AWS > VPC > Route Table > CMDB
- AWS > VPC > Route Table > Configured
- AWS > VPC > Route Table > Discovery
- AWS > VPC > Route Table > Tags
- AWS > VPC > Route Table > Usage
- AWS > VPC > Stack
- AWS > VPC > Subnet > Active
- AWS > VPC > Subnet > Approved
- AWS > VPC > Subnet > Auto Assign Public IP
- AWS > VPC > Subnet > CMDB
- AWS > VPC > Subnet > Configured
- AWS > VPC > Subnet > Discovery
- AWS > VPC > Subnet > Tags
- AWS > VPC > Subnet > Usage
- AWS > VPC > VPC > Active
- AWS > VPC > VPC > Approved
- AWS > VPC > VPC > CMDB
- AWS > VPC > VPC > Configured
- AWS > VPC > VPC > DNS Hostnames
- AWS > VPC > VPC > DNS Resolution
- AWS > VPC > VPC > Discovery
- AWS > VPC > VPC > Flow Logging
- AWS > VPC > VPC > Stack
- AWS > VPC > VPC > Tags
- AWS > VPC > VPC > Usage
Policy Types
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-core
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-vpc
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-vpc
- AWS > VPC > Approved Regions [Default]
- AWS > VPC > DHCP Options > Active
- AWS > VPC > DHCP Options > Active > Age
- AWS > VPC > DHCP Options > Active > Last Modified
- AWS > VPC > DHCP Options > Approved
- AWS > VPC > DHCP Options > Approved > Custom
- AWS > VPC > DHCP Options > Approved > Regions
- AWS > VPC > DHCP Options > Approved > Usage
- AWS > VPC > DHCP Options > CMDB
- AWS > VPC > DHCP Options > Configured
- AWS > VPC > DHCP Options > Configured > Claim Precedence
- AWS > VPC > DHCP Options > Configured > Source
- AWS > VPC > DHCP Options > Regions
- AWS > VPC > DHCP Options > Tags
- AWS > VPC > DHCP Options > Tags > Template
- AWS > VPC > DHCP Options > Usage
- AWS > VPC > DHCP Options > Usage > Limit
- AWS > VPC > Default VPC
- AWS > VPC > Default VPC > Approved
- AWS > VPC > Default VPC > Approved > Usage
- AWS > VPC > Enabled
- AWS > VPC > Permissions
- AWS > VPC > Permissions > Levels
- AWS > VPC > Permissions > Levels > CGW Administration
- AWS > VPC > Permissions > Levels > DHCP Options Administration
- AWS > VPC > Permissions > Levels > EGW Administration
- AWS > VPC > Permissions > Levels > Endpoint Administration
- AWS > VPC > Permissions > Levels > Flow Logs Administration
- AWS > VPC > Permissions > Levels > IGW Administration
- AWS > VPC > Permissions > Levels > Modifiers
- AWS > VPC > Permissions > Levels > NAT Gateway Administration
- AWS > VPC > Permissions > Levels > Network ACL Administration
- AWS > VPC > Permissions > Levels > Peering Connection Administration
- AWS > VPC > Permissions > Levels > Route Table Administration
- AWS > VPC > Permissions > Levels > Security Group Administration
- AWS > VPC > Permissions > Levels > Subnet Administration
- AWS > VPC > Permissions > Levels > VGW Administration
- AWS > VPC > Permissions > Levels > VPC Administration
- AWS > VPC > Permissions > Levels > VPN Connection Administration
- AWS > VPC > Permissions > Lockdown
- AWS > VPC > Regions
- AWS > VPC > Route > CMDB
- AWS > VPC > Route > Configured
- AWS > VPC > Route > Configured > Claim Precedence
- AWS > VPC > Route > Configured > Source
- AWS > VPC > Route Table > Active
- AWS > VPC > Route Table > Active > Age
- AWS > VPC > Route Table > Active > Last Modified
- AWS > VPC > Route Table > Approved
- AWS > VPC > Route Table > Approved > Custom
- AWS > VPC > Route Table > Approved > Regions
- AWS > VPC > Route Table > Approved > Usage
- AWS > VPC > Route Table > CMDB
- AWS > VPC > Route Table > Configured
- AWS > VPC > Route Table > Configured > Claim Precedence
- AWS > VPC > Route Table > Configured > Source
- AWS > VPC > Route Table > Regions
- AWS > VPC > Route Table > Tags
- AWS > VPC > Route Table > Tags > Template
- AWS > VPC > Route Table > Usage
- AWS > VPC > Route Table > Usage > Limit
- AWS > VPC > Stack
- AWS > VPC > Stack > Secret Variables
- AWS > VPC > Stack > Source
- AWS > VPC > Stack > Terraform Version
- AWS > VPC > Stack > Variables
- AWS > VPC > Subnet > Active
- AWS > VPC > Subnet > Active > Age
- AWS > VPC > Subnet > Active > Last Modified
- AWS > VPC > Subnet > Approved
- AWS > VPC > Subnet > Approved > Custom
- AWS > VPC > Subnet > Approved > Regions
- AWS > VPC > Subnet > Approved > Usage
- AWS > VPC > Subnet > Auto Assign Public IP
- AWS > VPC > Subnet > CMDB
- AWS > VPC > Subnet > Configured
- AWS > VPC > Subnet > Configured > Claim Precedence
- AWS > VPC > Subnet > Configured > Source
- AWS > VPC > Subnet > Regions
- AWS > VPC > Subnet > Tags
- AWS > VPC > Subnet > Tags > Template
- AWS > VPC > Subnet > Usage
- AWS > VPC > Subnet > Usage > Limit
- AWS > VPC > Tags Template [Default]
- AWS > VPC > Trusted Accounts [Default]
- AWS > VPC > Trusted Organizations [Default]
- AWS > VPC > Trusted Services [Default]
- AWS > VPC > VPC > Active
- AWS > VPC > VPC > Active > Age
- AWS > VPC > VPC > Active > Budget
- AWS > VPC > VPC > Active > Last Modified
- AWS > VPC > VPC > Approved
- AWS > VPC > VPC > Approved > Budget
- AWS > VPC > VPC > Approved > Custom
- AWS > VPC > VPC > Approved > Regions
- AWS > VPC > VPC > Approved > Usage
- AWS > VPC > VPC > CMDB
- AWS > VPC > VPC > Configured
- AWS > VPC > VPC > Configured > Claim Precedence
- AWS > VPC > VPC > Configured > Source
- AWS > VPC > VPC > DNS Hostnames
- AWS > VPC > VPC > DNS Resolution
- AWS > VPC > VPC > Flow Logging
- AWS > VPC > VPC > Flow Logging > Cloud Watch
- AWS > VPC > VPC > Flow Logging > Cloud Watch > Log Group
- AWS > VPC > VPC > Flow Logging > Cloud Watch > Role
- AWS > VPC > VPC > Flow Logging > Cloud Watch > Traffic Type
- AWS > VPC > VPC > Flow Logging > Log Record Format
- AWS > VPC > VPC > Flow Logging > S3
- AWS > VPC > VPC > Flow Logging > S3 > Bucket
- AWS > VPC > VPC > Flow Logging > S3 > Key Prefix
- AWS > VPC > VPC > Flow Logging > S3 > Traffic Type
- AWS > VPC > VPC > Flow Logging > Source
- AWS > VPC > VPC > Regions
- AWS > VPC > VPC > Stack
- AWS > VPC > VPC > Stack > Secret Variables
- AWS > VPC > VPC > Stack > Source
- AWS > VPC > VPC > Stack > Terraform Version
- AWS > VPC > VPC > Stack > Variables
- AWS > VPC > VPC > Tags
- AWS > VPC > VPC > Tags > Template
- AWS > VPC > VPC > Usage
- AWS > VPC > VPC > Usage > Limit
Release Notes
5.16.0 (2023-06-06)
What's new?
- README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB. - We've added new Turbot AKAs for
AWS > VPCresource types that match their individual unique identifiers. E.g.VpcIdwill now also be a Turbot AKA forAWS > VPC > VPC,SubnetIdforAWS > VPC > Subnetetc.. Querying such resources in Turbot will now be easier than before.
5.15.0 (2022-11-01)
Control Types
Added
- AWS > VPC > VPC > Stack
Policy Types
Added
- AWS > VPC > VPC > Stack
- AWS > VPC > VPC > Stack > Secret Variables
- AWS > VPC > VPC > Stack > Source
- AWS > VPC > VPC > Stack > Terraform Version
- AWS > VPC > VPC > Stack > Variables
Action Types
Added
- AWS > VPC > DHCP Options > Skip alarm for Approved control
- AWS > VPC > DHCP Options > Skip alarm for Approved control [90 days]
- AWS > VPC > Route Table > Skip alarm for Approved control
- AWS > VPC > Route Table > Skip alarm for Approved control [90 days]
- AWS > VPC > Subnet > Skip alarm for Approved control
- AWS > VPC > Subnet > Skip alarm for Approved control [90 days]
- AWS > VPC > VPC > Skip alarm for approved control
- AWS > VPC > VPC > Skip alarm for approved control [90 days]
5.14.1 (2022-02-16)
Bug fixes
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
5.14.0 (2022-02-09)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custompolicy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- The
AWS/VPC/Admin,AWS/VPC/MetadataandAWS/VPC/Operatorgrants would fail to show up on the Permissions tab while assigning access to users for an account when theAWS > VPC > Permissionspolicy was set to Enabled. This is now fixed.
Policy Types
Added
- AWS > VPC > DHCP Options > Approved > Custom
- AWS > VPC > Route Table > Approved > Custom
- AWS > VPC > Subnet > Approved > Custom
- AWS > VPC > VPC > Approved > Custom
5.13.0 (2022-01-10)
What's new?
AWS/VPC/AdminandAWS/VPC/Metadatanow include permissions for Carrier Gateway, Ipam, Network Insights Access Scope, Subnet Cidr Reservation, TransitGateway Connect, TransitGateway Prefix List Reference and Public Ipv4 Pool Cidr.
5.12.1 (2021-10-01)
Bug fixes
- The
AWS > VPC > Route > Discoverycontrol would go into an error state when there were no routes to upsert. This is now fixed.
5.12.0 (2021-07-20)
What's new?
AWS/VPC/Adminnow includes traffic mirror filter permissions.We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
5.11.0 (2021-06-23)
What's new?
AWS/VPC/Adminnow includes client VPN, network insights, traffic mirror filter, transit gateway, and VPC reachability analyzer permissions.
5.10.1 (2021-05-21)
Bug fixes
- We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.
5.10.0 (2021-04-02)
Bug fixes
- We've improved our event handling configuration and now filter which AWS events Turbot listens for based on resources' CMDB policies. If a resource's CMDB policy is not set to
Enforce: Enabled, the EventBridge rules will be configured to not send any events for that resource. This will greatly reduce the number of unnecessary events that Turbot listens for and handles today. - Users can now configure the log record format in the
AWS > VPC > VPC > Flow Loggingcontrol to specify the fields to include in the flow log record. To get started, set theAWS > VPC > VPC > Flow Logging > Log Record Formatpolicy.
Policy Types
Added
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-core
- AWS > VPC > VPC > Flow Logging > Log Record Format
5.9.0 (2021-02-18)
What's new?
- We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- The
AWS > VPC > Subnet > CMDBcontrol will now automatically re-run every 24 hours to update theAvailableIpAddressCountproperty in a subnet because AWS does not currently support real-time events for IP count updates.
5.8.3 (2021-01-13)
Bug fixes
- The
AWS > VPC > VPC > Discoverycontrol would sometimes fail to upsert all VPCs in a region due to lack of paging support. This is now fixed.
5.8.2 (2021-01-08)
Bug fixes
- We've improved the real-time event handling for tag events that update multiple resources at a time and now all resources in a tag event will be updated in CMDB consistently.
- Controls run faster now when in the
tbdandskippedstates thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbdandskipped, resulting in faster and lighter control runs.
5.8.1 (2020-12-08)
Bug fixes
- We've optimized the GraphQL queries for various controls when they're in the
tbdandskippedstates. You won't notice any difference but they should run a lot lighter now.
5.8.0 (2020-10-19)
What's new?
Policy Types
Added
AWS > VPC > Trusted Accounts [Default]
AWS > VPC > Trusted Organizations [Default]
AWS > VPC > Trusted Services [Default]
5.7.2 (2020-10-08)
Bug fixes
- The
AWS > VPC > Default VPC > Approvedcontrol would sometimes go into an error state after deleting the default VPC in a region. This is now fixed.
5.7.1 (2020-09-29)
Bug fixes
- We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.
5.7.0 (2020-09-07)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery, to allow for easier filtering separately from other CMDB controls. - We've renamed the service's default regions policy from
Regions [Default]toRegionsto be consistent with our other regions policies.
Bug fixes
- Whenever a subnet was dissociated from a route table,
AWS > VPC > Route Table > CMDBdid not get updated automatically. This issue has now been fixed.
5.6.2 (2020-08-17)
Bug fixes
- In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
5.6.1 (2020-08-07)
Bug fixes
- In the
AWS > VPC > Route > CMDBcontrol, we now get route information directly from the AWS API instead of from the route table's CMDB entry. This prevents a race condition that resulted in routes created by theAWS > VPC > Stackcontrol being immediately deleted if their route table information was outdated.
5.6.0 (2020-07-22)
What's new?
- The
AWS > VPC > Subnet > Auto Assign Public IPpolicy now includes the policy valuesCheck: Enabled,Check: Disabled,Enforce: Enabled, andEnforce: Disabled. With the addition of these values, it is now possible to also disable a subnet's auto-assign public IP setting. We have also deprecated the policy valuesCheck: Auto Assign Public IPandEnforce: Auto Assign Public IP(replaced byCheck: EnabledandEnforce: Enabledrespectively). These policy values will be removed in the next major version and any current policy settings using these values should be updated.
5.5.0 (2020-07-07)
What's new?
- Updated
AWS > VPC > Regionspolicy default value to now includeaf-south-1,cn-north-1,cn-northwest-1.
5.4.0 (2020-06-30)
Bug fixes
- Sometimes when updating CMDB for resources with tags that have empty string values, e.g.,
[{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.
Policy Types
Removed
- AWS > VPC > Subnet > Auto Assign Public IP > Subnet Auto Assign Public IP Types
5.3.0 (2020-06-25)
What's new?
- IAM permissions pertaining to local gateways can now be managed by setting
AWS > VPC > Enabledpolicy toEnabled.
5.2.1 (2020-06-01)
Bug fixes
- The
AWS > VPC > Stackcontrol would fail when trying to create Route resources due to incorrect Terraform metadata for Routes. This has been resolved and now the stack control works smoothly.
5.2.0 (2020-05-08)
Resource Types
Added
- AWS > VPC > Route
Control Types
Added
- AWS > VPC > Route > CMDB
- AWS > VPC > Route > Configured
- AWS > VPC > Route > Discovery
Policy Types
Added
- AWS > VPC > Route > CMDB
- AWS > VPC > Route > Configured
- AWS > VPC > Route > Configured > Claim Precedence
- AWS > VPC > Route > Configured > Source
5.1.0 (2020-05-06)
Control Types
Added
- AWS > VPC > Stack
Policy Types
Added
- AWS > VPC > Stack
- AWS > VPC > Stack > Source
- AWS > VPC > Stack > Variables
Renamed
- AWS > VPC > DHCP Options > Configured > Precedence to AWS > VPC > DHCP Options > Configured > Claim Precedence
- AWS > VPC > Route Table > Configured > Precedence to AWS > VPC > Route Table > Configured > Claim Precedence
- AWS > VPC > Subnet > Configured > Precedence to AWS > VPC > Subnet > Configured > Claim Precedence
- AWS > VPC > VPC > Configured > Precedence to AWS > VPC > VPC > Configured > Claim Precedence
5.0.2 (2020-04-24)
Bug fixes
- The Default VPC > Approved control was not correctly identifying default VPCs in a region due to an invalid filter query. This has been fixed and the default VPCs are all accounted for.