Control types for @turbot/aws-vpc-security

• AWS > VPC > Flow Log > Active
• AWS > VPC > Flow Log > Approved
• AWS > VPC > Flow Log > CMDB
• AWS > VPC > Flow Log > Configured
• AWS > VPC > Flow Log > Discovery
• AWS > VPC > Flow Log > Tags
• AWS > VPC > Flow Log > Usage
• AWS > VPC > Network ACL > Active
• AWS > VPC > Network ACL > Approved
• AWS > VPC > Network ACL > CMDB
• AWS > VPC > Network ACL > Configured
• AWS > VPC > Network ACL > Discovery
• AWS > VPC > Network ACL > Tags
• AWS > VPC > Network ACL > Usage
• AWS > VPC > Security Group > Active
• AWS > VPC > Security Group > Approved
• AWS > VPC > Security Group > CMDB
• AWS > VPC > Security Group > Configured
• AWS > VPC > Security Group > Discovery
• AWS > VPC > Security Group > Egress Rules
• AWS > VPC > Security Group > Egress Rules > Approved
• AWS > VPC > Security Group > Ingress Rules
• AWS > VPC > Security Group > Ingress Rules > Approved
• AWS > VPC > Security Group > Tags
• AWS > VPC > Security Group > Usage
• AWS > VPC > Security Group Rule > CMDB
• AWS > VPC > Security Group Rule > Configured
• AWS > VPC > Security Group Rule > Discovery
• AWS > VPC > Security Group Rule > Tags

AWS > VPC > Flow Log > Active

Take an action when an AWS VPC flow log is not active based on the
AWS > VPC > Flow Log > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > VPC > Flow Log > Approved

Take an action when an AWS VPC flow log is not approved based on AWS > VPC > Flow Log > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > VPC > Flow Log > CMDB

Record and synchronize details for the AWS VPC flow log into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Flow Log > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > VPC > Flow Log > Configured

Maintain AWS > VPC > Flow Log configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > VPC > Flow Log > Discovery

Discover all AWS VPC flow log resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Flow Log > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > VPC > Flow Log > Tags

Take an action when an AWS VPC flow log tags is not updated based on the AWS > VPC > Flow Log > Tags > * policies.

If the resource is not updated with the tags defined in AWS > VPC > Flow Log > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > VPC > Flow Log > Usage

The Usage control determines whether the number of AWS VPC flow log resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > VPC > Flow Log > Usage policy, and set the limit with the AWS > VPC > Flow Log > Usage > Limit policy.

AWS > VPC > Network ACL > Active

Take an action when an AWS VPC network acl is not active based on the
AWS > VPC > Network ACL > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > VPC > Network ACL > Approved

Take an action when an AWS VPC network acl is not approved based on AWS > VPC > Network ACL > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > VPC > Network ACL > CMDB

Record and synchronize details for the AWS VPC network acl into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Network ACL > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > VPC > Network ACL > Configured

Maintain AWS > VPC > Network ACL configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > VPC > Network ACL > Discovery

Discover all AWS VPC network acl resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Network ACL > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > VPC > Network ACL > Tags

Take an action when an AWS VPC network acl tags is not updated based on the AWS > VPC > Network ACL > Tags > * policies.

If the resource is not updated with the tags defined in AWS > VPC > Network ACL > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > VPC > Network ACL > Usage

The Usage control determines whether the number of AWS VPC network acl resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > VPC > Network ACL > Usage policy, and set the limit with the AWS > VPC > Network ACL > Usage > Limit policy.

AWS > VPC > Security Group > Active

Take an action when an AWS VPC security group is not active based on the
AWS > VPC > Security Group > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

AWS > VPC > Security Group > Approved

Take an action when an AWS VPC security group is not approved based on AWS > VPC > Security Group > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

AWS > VPC > Security Group > CMDB

Record and synchronize details for the AWS VPC security group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)

AWS > VPC > Security Group > Configured

Maintain AWS > VPC > Security Group configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > VPC > Security Group > Discovery

Discover all AWS VPC security group resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > VPC > Security Group > Egress Rules

AWS > VPC > Security Group > Egress Rules > Approved

Configure Security Group Rules checking. This control defines whether to
verify the security group egress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved rules will be
revoked from the security group.

AWS > VPC > Security Group > Ingress Rules

AWS > VPC > Security Group > Ingress Rules > Approved

Configure Security Group Rules checking. This control defines whether to
verify the security group ingress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved rules will be
revoked from the security group.

AWS > VPC > Security Group > Tags

Take an action when an AWS VPC security group tags is not updated based on the AWS > VPC > Security Group > Tags > * policies.

If the resource is not updated with the tags defined in AWS > VPC > Security Group > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.

AWS > VPC > Security Group > Usage

The Usage control determines whether the number of AWS VPC security group resources exceeds the configured usage limit for this region.

You can configure the behavior of this control with the AWS > VPC > Security Group > Usage policy, and set the limit with the AWS > VPC > Security Group > Usage > Limit policy.

AWS > VPC > Security Group Rule > CMDB

Record and synchronize details for the AWS VPC security group rule into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

AWS > VPC > Security Group Rule > Configured

Maintain AWS > VPC > Security Group Rule configuration

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

AWS > VPC > Security Group Rule > Discovery

Discover all AWS VPC security group rule resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.

AWS > VPC > Security Group Rule > Tags

Take an action when an AWS VPC security group rule tags is not updated based on the AWS > VPC > Security Group Rule > Tags > * policies.

If the resource is not updated with the tags defined in AWS > VPC > Security Group Rule > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.