Control types for @turbot/aws-vpc-security

AWS > VPC > Flow Log > Active

Take an action when an AWS VPC flow log is not active based on the\nAWS > VPC > Flow Log > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Flow Log > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/flowLogActive

AWS > VPC > Flow Log > Approved

Take an action when an AWS VPC flow log is not approved based on AWS > VPC > Flow Log > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/flowLogApproved

AWS > VPC > Flow Log > CMDB

Record and synchronize details for the AWS VPC flow log into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Flow Log > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)\n

URI
tmod:@turbot/aws-vpc-security#/control/types/flowLogCmdb
Category

AWS > VPC > Flow Log > Configured

Maintain AWS > VPC > Flow Log configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-vpc-security#/control/types/flowLogConfigured

AWS > VPC > Flow Log > Discovery

Discover all AWS VPC flow log resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n\nNote that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Flow Log > Regions policy, the CMDB control will delete the resource from the CMDB.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/flowLogDiscovery

AWS > VPC > Flow Log > Tags

Take an action when an AWS VPC flow log tags is not updated based on the AWS > VPC > Flow Log > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > VPC > Flow Log > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/flowLogTags

AWS > VPC > Flow Log > Usage

The Usage control determines whether the number of AWS VPC flow log resources exceeds the configured usage limit for this region.\n\nYou can configure the behavior of this control with the AWS > VPC > Flow Log > Usage policy, and set the limit with the AWS > VPC > Flow Log > Usage > Limit policy.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/flowLogUsage

AWS > VPC > Network ACL > Active

Take an action when an AWS VPC network acl is not active based on the\nAWS > VPC > Network ACL > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Network ACL > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/networkAclActive

AWS > VPC > Network ACL > Approved

Take an action when an AWS VPC network acl is not approved based on AWS > VPC > Network ACL > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/networkAclApproved

AWS > VPC > Network ACL > CMDB

Record and synchronize details for the AWS VPC network acl into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Network ACL > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)\n

URI
tmod:@turbot/aws-vpc-security#/control/types/networkAclCmdb
Category

AWS > VPC > Network ACL > Configured

Maintain AWS > VPC > Network ACL configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-vpc-security#/control/types/networkAclConfigured

AWS > VPC > Network ACL > Discovery

Discover all AWS VPC network acl resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n\nNote that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Network ACL > Regions policy, the CMDB control will delete the resource from the CMDB.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/networkAclDiscovery

AWS > VPC > Network ACL > Tags

Take an action when an AWS VPC network acl tags is not updated based on the AWS > VPC > Network ACL > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > VPC > Network ACL > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/networkAclTags

AWS > VPC > Network ACL > Usage

The Usage control determines whether the number of AWS VPC network acl resources exceeds the configured usage limit for this region.\n\nYou can configure the behavior of this control with the AWS > VPC > Network ACL > Usage policy, and set the limit with the AWS > VPC > Network ACL > Usage > Limit policy.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/networkAclUsage

AWS > VPC > Security Group > Active

Take an action when an AWS VPC security group is not active based on the\nAWS > VPC > Security Group > Active > * policies.\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Security Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\n\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupActive

AWS > VPC > Security Group > Approved

Take an action when an AWS VPC security group is not approved based on AWS > VPC > Security Group > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupApproved

AWS > VPC > Security Group > CMDB

Record and synchronize details for the AWS VPC security group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupCmdb
Category

AWS > VPC > Security Group > Configured

Maintain AWS > VPC > Security Group configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupConfigured

AWS > VPC > Security Group > Discovery

Discover all AWS VPC security group resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n\nNote that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupDiscovery

AWS > VPC > Security Group > Egress Rules

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupEgressRules
Category

AWS > VPC > Security Group > Egress Rules > Approved

Configure Security Group Rules checking. This control defines whether to\nverify the security group egress rules are approved, as well as the\nsubsequent action to take on unapproved items. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then\nevaluated.\n\nIf set to Enforce: Delete unapproved, any unapproved rules will be\nrevoked from the security group.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupEgressRulesApproved

AWS > VPC > Security Group > Ingress Rules

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupIngressRules
Category

AWS > VPC > Security Group > Ingress Rules > Approved

Configure Security Group Rules checking. This control defines whether to\nverify the security group ingress rules are approved, as well as the\nsubsequent action to take on unapproved items. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then\nevaluated.\n\nIf set to Enforce: Delete unapproved, any unapproved rules will be\nrevoked from the security group.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupIngressRulesApproved

AWS > VPC > Security Group > Tags

Take an action when an AWS VPC security group tags is not updated based on the AWS > VPC > Security Group > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > VPC > Security Group > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupTags

AWS > VPC > Security Group > Usage

The Usage control determines whether the number of AWS VPC security group resources exceeds the configured usage limit for this region.\n\nYou can configure the behavior of this control with the AWS > VPC > Security Group > Usage policy, and set the limit with the AWS > VPC > Security Group > Usage > Limit policy.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupUsage

AWS > VPC > Security Group Rule > CMDB

Record and synchronize details for the AWS VPC security group rule into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleCmdb
Category

AWS > VPC > Security Group Rule > Configured

Maintain AWS > VPC > Security Group Rule configuration\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleConfigured

AWS > VPC > Security Group Rule > Discovery

Discover all AWS VPC security group rule resources and add them to the CMDB.\n\nThe Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.\n\nNote that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleDiscovery

AWS > VPC > Security Group Rule > Tags

Take an action when an AWS VPC security group rule tags is not updated based on the AWS > VPC > Security Group Rule > Tags > * policies.\n\nIf the resource is not updated with the tags defined in AWS > VPC > Security Group Rule > Tags > Template, this control raises an alarm and takes the defined enforcement action.\n\nSee Tags for more information.\n

URI
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleTags