Policy types for @turbot/aws-vpc-internet
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-internet
- AWS > VPC > Egress Only Internet Gateway > Active
- AWS > VPC > Egress Only Internet Gateway > Active > Age
- AWS > VPC > Egress Only Internet Gateway > Active > Last Modified
- AWS > VPC > Egress Only Internet Gateway > Approved
- AWS > VPC > Egress Only Internet Gateway > Approved > Custom
- AWS > VPC > Egress Only Internet Gateway > Approved > Regions
- AWS > VPC > Egress Only Internet Gateway > Approved > Usage
- AWS > VPC > Egress Only Internet Gateway > CMDB
- AWS > VPC > Egress Only Internet Gateway > Configured
- AWS > VPC > Egress Only Internet Gateway > Configured > Claim Precedence
- AWS > VPC > Egress Only Internet Gateway > Configured > Source
- AWS > VPC > Egress Only Internet Gateway > Regions
- AWS > VPC > Egress Only Internet Gateway > Tags
- AWS > VPC > Egress Only Internet Gateway > Tags > Template
- AWS > VPC > Egress Only Internet Gateway > Usage
- AWS > VPC > Egress Only Internet Gateway > Usage > Limit
- AWS > VPC > Elastic IP > Active
- AWS > VPC > Elastic IP > Active > Age
- AWS > VPC > Elastic IP > Active > Attached
- AWS > VPC > Elastic IP > Active > Last Modified
- AWS > VPC > Elastic IP > Approved
- AWS > VPC > Elastic IP > Approved > Custom
- AWS > VPC > Elastic IP > Approved > Regions
- AWS > VPC > Elastic IP > Approved > Usage
- AWS > VPC > Elastic IP > CMDB
- AWS > VPC > Elastic IP > Configured
- AWS > VPC > Elastic IP > Configured > Claim Precedence
- AWS > VPC > Elastic IP > Configured > Source
- AWS > VPC > Elastic IP > Regions
- AWS > VPC > Elastic IP > Tags
- AWS > VPC > Elastic IP > Tags > Template
- AWS > VPC > Elastic IP > Usage
- AWS > VPC > Elastic IP > Usage > Limit
- AWS > VPC > Endpoint > Active
- AWS > VPC > Endpoint > Active > Age
- AWS > VPC > Endpoint > Active > Last Modified
- AWS > VPC > Endpoint > Approved
- AWS > VPC > Endpoint > Approved > Custom
- AWS > VPC > Endpoint > Approved > Regions
- AWS > VPC > Endpoint > Approved > Usage
- AWS > VPC > Endpoint > CMDB
- AWS > VPC > Endpoint > Configured
- AWS > VPC > Endpoint > Configured > Claim Precedence
- AWS > VPC > Endpoint > Configured > Source
- AWS > VPC > Endpoint > Policy
- AWS > VPC > Endpoint > Policy > Trusted Access
- AWS > VPC > Endpoint > Policy > Trusted Access > Accounts
- AWS > VPC > Endpoint > Policy > Trusted Access > Organization Restrictions
- AWS > VPC > Endpoint > Policy > Trusted Access > Services
- AWS > VPC > Endpoint > Regions
- AWS > VPC > Endpoint > Tags
- AWS > VPC > Endpoint > Tags > Template
- AWS > VPC > Endpoint > Usage
- AWS > VPC > Endpoint > Usage > Limit
- AWS > VPC > Endpoint Service > Active
- AWS > VPC > Endpoint Service > Active > Age
- AWS > VPC > Endpoint Service > Active > Budget
- AWS > VPC > Endpoint Service > Active > Last Modified
- AWS > VPC > Endpoint Service > Approved
- AWS > VPC > Endpoint Service > Approved > Budget
- AWS > VPC > Endpoint Service > Approved > Custom
- AWS > VPC > Endpoint Service > Approved > Regions
- AWS > VPC > Endpoint Service > Approved > Usage
- AWS > VPC > Endpoint Service > CMDB
- AWS > VPC > Endpoint Service > Configured
- AWS > VPC > Endpoint Service > Configured > Claim Precedence
- AWS > VPC > Endpoint Service > Configured > Source
- AWS > VPC > Endpoint Service > Regions
- AWS > VPC > Endpoint Service > Tags
- AWS > VPC > Endpoint Service > Tags > Template
- AWS > VPC > Endpoint Service > Usage
- AWS > VPC > Endpoint Service > Usage > Limit
- AWS > VPC > Internet Gateway > Active
- AWS > VPC > Internet Gateway > Active > Age
- AWS > VPC > Internet Gateway > Active > Attached
- AWS > VPC > Internet Gateway > Active > Last Modified
- AWS > VPC > Internet Gateway > Approved
- AWS > VPC > Internet Gateway > Approved > Custom
- AWS > VPC > Internet Gateway > Approved > Regions
- AWS > VPC > Internet Gateway > Approved > Usage
- AWS > VPC > Internet Gateway > CMDB
- AWS > VPC > Internet Gateway > Configured
- AWS > VPC > Internet Gateway > Configured > Claim Precedence
- AWS > VPC > Internet Gateway > Configured > Source
- AWS > VPC > Internet Gateway > Regions
- AWS > VPC > Internet Gateway > Tags
- AWS > VPC > Internet Gateway > Tags > Template
- AWS > VPC > Internet Gateway > Usage
- AWS > VPC > Internet Gateway > Usage > Limit
- AWS > VPC > NAT Gateway > Active
- AWS > VPC > NAT Gateway > Active > Age
- AWS > VPC > NAT Gateway > Active > In Use
- AWS > VPC > NAT Gateway > Active > Last Modified
- AWS > VPC > NAT Gateway > Approved
- AWS > VPC > NAT Gateway > Approved > Custom
- AWS > VPC > NAT Gateway > Approved > Regions
- AWS > VPC > NAT Gateway > Approved > Usage
- AWS > VPC > NAT Gateway > CMDB
- AWS > VPC > NAT Gateway > Configured
- AWS > VPC > NAT Gateway > Configured > Claim Precedence
- AWS > VPC > NAT Gateway > Configured > Source
- AWS > VPC > NAT Gateway > Regions
- AWS > VPC > NAT Gateway > Tags
- AWS > VPC > NAT Gateway > Tags > Template
- AWS > VPC > NAT Gateway > Usage
- AWS > VPC > NAT Gateway > Usage > Limit
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-internet
The CloudWatch Events event pattern used by the AWS VPC Internet module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcInternetCustomEventPatterns{ "type": "array", "items": { "type": "object" }}AWS > VPC > Egress Only Internet Gateway > Active
Determine the action to take when an AWS VPC egress only internet gateway, based on the AWS > VPC > Egress Only Internet Gateway > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Egress Only Internet Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Egress Only Internet Gateway > Active > Age
The age after which the AWS VPC egress only internet gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Egress Only Internet Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Egress Only Internet Gateway > Active > Last Modified
The number of days since the AWS VPC egress only internet gateway
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Egress Only Internet Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Egress Only Internet Gateway > Approved
Determine the action to take when an AWS VPC egress only internet gateway is not approved based on AWS > VPC > Egress Only Internet Gateway > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Egress Only Internet Gateway > Approved > Custom
Determine whether the AWS VPC egress only internet gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC egress only internet gateway is not approved, it will be subject to the action specified in the AWS > VPC > Egress Only Internet Gateway > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Egress Only Internet Gateway > Approved > Regions
A list of AWS regions in which AWS VPC egress only internet gateways are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC egress only internet gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Egress Only Internet Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Egress Only Internet Gateway > Approved > Usage
Determine whether the AWS VPC egress only internet gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC egress only internet gateway is not approved, it will be subject to the action specified in the AWS > VPC > Egress Only Internet Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Egress Only Internet Gateway > CMDB
Configure whether to record and synchronize details for the AWS VPC egress only internet gateway into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Egress Only Internet Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Egress Only Internet Gateway > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Egress Only Internet Gateway > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Egress Only Internet Gateway > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Egress Only Internet Gateway > Regions
A list of AWS regions in which AWS VPC egress only internet gateways are supported for use.
Any egress only internet gateways in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Egress Only Internet Gateway > Tags
Determine the action to take when an AWS VPC egress only internet gateway tags are not updated based on the AWS > VPC > Egress Only Internet Gateway > Tags > * policies.
The control ensure AWS VPC egress only internet gateway tags include tags defined in AWS > VPC > Egress Only Internet Gateway > Tags > Template.
Tags not defined in Egress Only Internet Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Egress Only Internet Gateway > Tags > Template
The template is used to generate the keys and values for AWS VPC egress only internet gateway.
Tags not defined in Egress Only Internet Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Egress Only Internet Gateway > Usage
Configure the number of AWS VPC egress only internet gateways that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > VPC > Egress Only Internet Gateway > Usage policy.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Egress Only Internet Gateway > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayUsageLimit{ "type": "integer", "minimum": 0, "default": 5}AWS > VPC > Elastic IP > Active
Determine the action to take when an AWS VPC elastic ip, based on the AWS > VPC > Elastic IP > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Elastic IP > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Elastic IP > Active > Age
The age after which the AWS VPC elastic ip
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Elastic IP > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Elastic IP > Active > Attached
Determine whether the Elastic IP is active, based on whether it is attached to any other resource types.
The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Elastic IP > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpActiveAttached[ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached"]{ "type": "string", "enum": [ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Elastic IP > Active > Last Modified
The number of days since the AWS VPC elastic ip
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Elastic IP > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Elastic IP > Approved
Determine the action to take when an AWS VPC elastic ip is not approved based on AWS > VPC > Elastic IP > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpApproved[ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Elastic IP > Approved > Custom
Determine whether the AWS VPC elastic ip is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC elastic ip is not approved, it will be subject to the action specified in the AWS > VPC > Elastic IP > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Elastic IP > Approved > Regions
A list of AWS regions in which AWS VPC elastic ips are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC elastic ip is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Elastic IP > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Elastic IP > Approved > Usage
Determine whether the AWS VPC elastic ip is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC elastic ip is not approved, it will be subject to the action specified in the AWS > VPC > Elastic IP > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Elastic IP > CMDB
Configure whether to record and synchronize details for the AWS VPC elastic ip into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Elastic IP > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Elastic IP > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Elastic IP > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Elastic IP > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Elastic IP > Regions
A list of AWS regions in which AWS VPC elastic ips are supported for use.
Any elastic ips in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Elastic IP > Tags
Determine the action to take when an AWS VPC elastic ip tags are not updated based on the AWS > VPC > Elastic IP > Tags > * policies.
The control ensure AWS VPC elastic ip tags include tags defined in AWS > VPC > Elastic IP > Tags > Template.
Tags not defined in Elastic IP Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Elastic IP > Tags > Template
The template is used to generate the keys and values for AWS VPC elastic ip.
Tags not defined in Elastic IP Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Elastic IP > Usage
Configure the number of AWS elastic ips that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Elastic IP > Usage policy.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Elastic IP > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpUsageLimit{ "type": "integer", "minimum": 0, "default": 5}AWS > VPC > Endpoint > Active
Determine the action to take when an AWS VPC endpoint, based on the AWS > VPC > Endpoint > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Endpoint > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Endpoint > Active > Age
The age after which the AWS VPC endpoint
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Endpoint > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Endpoint > Active > Last Modified
The number of days since the AWS VPC endpoint
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Endpoint > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Endpoint > Approved
Determine the action to take when an AWS VPC endpoint is not approved based on AWS > VPC > Endpoint > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Endpoint > Approved > Custom
Determine whether the AWS VPC endpoint is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC endpoint is not approved, it will be subject to the action specified in the AWS > VPC > Endpoint > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Endpoint > Approved > Regions
A list of AWS regions in which AWS VPC endpoints are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC endpoint is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Endpoint > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Endpoint > Approved > Usage
Determine whether the AWS VPC endpoint is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC endpoint is not approved, it will be subject to the action specified in the AWS > VPC > Endpoint > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Endpoint > CMDB
Configure whether to record and synchronize details for the AWS VPC endpoint into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Endpoint > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Endpoint > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Endpoint > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Endpoint > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Endpoint > Policy
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointPolicyAWS > VPC > Endpoint > Policy > Trusted Access
Manage trusted access for AWS VPC endpoint.
AWS allows VPC endpoints to be shared with specific AWS accounts, services
and federated users. This policy allows you to configure
whether such sharing is allowed, and to which principals.
If set to Enforce: Revoke untrusted access, access to non-trusted
members will be removed.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointPolicyTrustedAccess[ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access"]{ "type": "string", "enum": [ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access" ], "default": "Skip"}AWS > VPC > Endpoint > Policy > Trusted Access > Accounts
List of AWS Account IDs that are trusted for cross-account access in the
AWS VPC endpoint policy.
Note that Trusted Access > Accounts and Trusted Access ><br />Organizations are evaluated independently. To have access, an AWS
principal must be allowed in Trusted Access > Accounts AND be a
member of an Organization that is allowed in Trusted Access ><br />Organizations.<br />example:<br /> - "123456789012"<br />
Note: Setting the policy to an Empty array will remove all accounts.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointPolicyTrustedAccounts"{\n accounts: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTrustedAccounts\")\n}\n""{% if $.accounts | length == 0 %}[]{% endif %}{% for item in $.accounts %}- '{{ item }}'\n{% endfor %}"{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\d{12}$|^\\*$)" }}AWS > VPC > Endpoint > Policy > Trusted Access > Organization Restrictions
List of AWS Organization IDs that are trusted for cross-account access in
the AWS VPC endpoint policy, or '*' to skip the Organization Restriction.
Note that Trusted Access > Accounts and Trusted Access ><br />Organizations are evaluated independently. To have access, an AWS
principal must be allowed in Trusted Access > Accounts AND be a
member of an Organization that is allowed in Trusted Access ><br />Organizations.
Note: Trusted Access > Organization Restrictions are ONLY
applied to AWS principals. Services and Federated principals do
NOT contain the aws:PrincipalOrgId condition key, and thus
cannot be validated against the Organization.<br />example:<br /> - "o-333333333"<br /> - "o-c3a5y4wd52"<br />
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointPolicyTrustedOrganizations"{\n organizations: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTrustedOrganizations\")\n}\n""{% if $.organizations | length == 0 %}[]{% endif %}{% for item in $.organizations %}- '{{ item }}'\n{% endfor %}"{ "type": "array", "items": { "type": "string", "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)" }}AWS > VPC > Endpoint > Policy > Trusted Access > Services
List of AWS Services that are trusted for access in the AWS VPC endpoint policy.<br />example:<br /> - sns.amazonaws.com<br /> - ec2.amazonaws.com<br />
Note: Setting the policy to an Empty array will remove all services.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointPolicyTrustedServices"{\n services: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTrustedServices\")\n}\n""{% if $.services | length == 0 %}[]{% endif %}{% for item in $.services %}- '{{ item }}'\n{% endfor %}"{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)" }}AWS > VPC > Endpoint > Regions
A list of AWS regions in which AWS VPC endpoints are supported for use.
Any endpoints in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Endpoint > Tags
Determine the action to take when an AWS VPC endpoint tags are not updated based on the AWS > VPC > Endpoint > Tags > * policies.
The control ensure AWS VPC endpoint tags include tags defined in AWS > VPC > Endpoint > Tags > Template.
Tags not defined in Endpoint Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Endpoint > Tags > Template
The template is used to generate the keys and values for AWS VPC endpoint.
Tags not defined in Endpoint Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Endpoint > Usage
Configure the number of AWS endpoints that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Endpoint > Usage policy.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Endpoint > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointUsageLimit{ "type": "integer", "minimum": 0, "default": 20}AWS > VPC > Endpoint Service > Active
Determine the action to take when an AWS VPC endpoint service, based on the AWS > VPC > Endpoint Service > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Endpoint Service > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Endpoint Service > Active > Age
The age after which the AWS VPC endpoint service
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Endpoint Service > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Endpoint Service > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
vpcEndpointServices to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Endpoint Service > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceActiveBudget[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Endpoint Service > Active > Last Modified
The number of days since the AWS VPC endpoint service
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Endpoint Service > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Endpoint Service > Approved
Determine the action to take when an AWS VPC endpoint service is not approved based on AWS > VPC > Endpoint Service > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Endpoint Service > Approved > Budget
The policy allows you to set endpoint services to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS VPC endpoint service is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Endpoint Service > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceApprovedBudget[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}AWS > VPC > Endpoint Service > Approved > Custom
Determine whether the AWS VPC endpoint service is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC endpoint service is not approved, it will be subject to the action specified in the AWS > VPC > Endpoint Service > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Endpoint Service > Approved > Regions
A list of AWS regions in which AWS VPC endpoint services are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC endpoint service is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Endpoint Service > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Endpoint Service > Approved > Usage
Determine whether the AWS VPC endpoint service is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC endpoint service is not approved, it will be subject to the action specified in the AWS > VPC > Endpoint Service > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Endpoint Service > CMDB
Configure whether to record and synchronize details for the AWS VPC endpoint service into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Endpoint Service > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Endpoint Service > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Endpoint Service > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Endpoint Service > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Endpoint Service > Regions
A list of AWS regions in which AWS VPC endpoint services are supported for use.
Any endpoint services in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Endpoint Service > Tags
Determine the action to take when an AWS VPC endpoint service tags are not updated based on the AWS > VPC > Endpoint Service > Tags > * policies.
The control ensure AWS VPC endpoint service tags include tags defined in AWS > VPC > Endpoint Service > Tags > Template.
Tags not defined in Endpoint Service Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Endpoint Service > Tags > Template
The template is used to generate the keys and values for AWS VPC endpoint service.
Tags not defined in Endpoint Service Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Endpoint Service > Usage
Configure the number of AWS endpoint services that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Endpoint Service > Usage policy.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Endpoint Service > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceUsageLimit{ "type": "integer", "minimum": 0, "default": 20}AWS > VPC > Internet Gateway > Active
Determine the action to take when an AWS VPC internet gateway, based on the AWS > VPC > Internet Gateway > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Internet Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayActive[ "Skip", "Check: Active", "Enforce: Detach and delete inactive with 1 day warning", "Enforce: Detach and delete inactive with 3 days warning", "Enforce: Detach and delete inactive with 7 days warning", "Enforce: Detach and delete inactive with 14 days warning", "Enforce: Detach and delete inactive with 30 days warning", "Enforce: Detach and delete inactive with 60 days warning", "Enforce: Detach and delete inactive with 90 days warning", "Enforce: Detach and delete inactive with 180 days warning", "Enforce: Detach and delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Detach and delete inactive with 1 day warning", "Enforce: Detach and delete inactive with 3 days warning", "Enforce: Detach and delete inactive with 7 days warning", "Enforce: Detach and delete inactive with 14 days warning", "Enforce: Detach and delete inactive with 30 days warning", "Enforce: Detach and delete inactive with 60 days warning", "Enforce: Detach and delete inactive with 90 days warning", "Enforce: Detach and delete inactive with 180 days warning", "Enforce: Detach and delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Internet Gateway > Active > Age
The age after which the AWS VPC internet gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Internet Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Internet Gateway > Active > Attached
Determine whether the Internet Gateway is active, based on whether it is attached to any other resource types.
The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Internet Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayActiveAttached[ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached"]{ "type": "string", "enum": [ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Internet Gateway > Active > Last Modified
The number of days since the AWS VPC internet gateway
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Internet Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Internet Gateway > Approved
Determine the action to take when an AWS VPC internet gateway is not approved based on AWS > VPC > Internet Gateway > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayApproved[ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Internet Gateway > Approved > Custom
Determine whether the AWS VPC internet gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC internet gateway is not approved, it will be subject to the action specified in the AWS > VPC > Internet Gateway > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Internet Gateway > Approved > Regions
A list of AWS regions in which AWS VPC internet gateways are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC internet gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Internet Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Internet Gateway > Approved > Usage
Determine whether the AWS VPC internet gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC internet gateway is not approved, it will be subject to the action specified in the AWS > VPC > Internet Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Internet Gateway > CMDB
Configure whether to record and synchronize details for the AWS VPC internet gateway into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Internet Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Internet Gateway > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Internet Gateway > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Internet Gateway > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Internet Gateway > Regions
A list of AWS regions in which AWS VPC internet gateways are supported for use.
Any internet gateways in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Internet Gateway > Tags
Determine the action to take when an AWS VPC internet gateway tags are not updated based on the AWS > VPC > Internet Gateway > Tags > * policies.
The control ensure AWS VPC internet gateway tags include tags defined in AWS > VPC > Internet Gateway > Tags > Template.
Tags not defined in Internet Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Internet Gateway > Tags > Template
The template is used to generate the keys and values for AWS VPC internet gateway.
Tags not defined in Internet Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Internet Gateway > Usage
Configure the number of AWS internet gateways that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Internet Gateway > Usage policy.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Internet Gateway > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayUsageLimit{ "type": "integer", "minimum": 0, "default": 5}AWS > VPC > NAT Gateway > Active
Determine the action to take when an AWS VPC nat gateway, based on the AWS > VPC > NAT Gateway > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > NAT Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > NAT Gateway > Active > Age
The age after which the AWS VPC nat gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > NAT Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > NAT Gateway > Active > In Use
If the AWS VPC nat gateway is not being used by any AWS VPC route table then
it is considered as inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > NAT Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayActiveInUse[ "Skip", "Active if in use", "Force active if in use", "Force inactive if not in use"]{ "type": "string", "enum": [ "Skip", "Active if in use", "Force active if in use", "Force inactive if not in use" ], "example": [ "Active if in use" ], "default": "Skip"}AWS > VPC > NAT Gateway > Active > Last Modified
The number of days since the AWS VPC nat gateway
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > NAT Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > NAT Gateway > Approved
Determine the action to take when an AWS VPC nat gateway is not approved based on AWS > VPC > NAT Gateway > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > NAT Gateway > Approved > Custom
Determine whether the AWS VPC nat gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC nat gateway is not approved, it will be subject to the action specified in the AWS > VPC > NAT Gateway > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > NAT Gateway > Approved > Regions
A list of AWS regions in which AWS VPC nat gateways are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC nat gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > NAT Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > NAT Gateway > Approved > Usage
Determine whether the AWS VPC nat gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC nat gateway is not approved, it will be subject to the action specified in the AWS > VPC > NAT Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > NAT Gateway > CMDB
Configure whether to record and synchronize details for the AWS VPC nat gateway into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > NAT Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > NAT Gateway > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > NAT Gateway > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > NAT Gateway > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > NAT Gateway > Regions
A list of AWS regions in which AWS VPC nat gateways are supported for use.
Any nat gateways in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > NAT Gateway > Tags
Determine the action to take when an AWS VPC nat gateway tags are not updated based on the AWS > VPC > NAT Gateway > Tags > * policies.
The control ensure AWS VPC nat gateway tags include tags defined in AWS > VPC > NAT Gateway > Tags > Template.
Tags not defined in NAT Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > NAT Gateway > Tags > Template
The template is used to generate the keys and values for AWS VPC nat gateway.
Tags not defined in NAT Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > NAT Gateway > Usage
Configure the number of AWS nat gateways that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > NAT Gateway > Usage policy.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > NAT Gateway > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayUsageLimit{ "type": "integer", "minimum": 0, "default": 20}