Control types for @turbot/aws-vpc-security
- AWS > VPC > Flow Log > Active
- AWS > VPC > Flow Log > Approved
- AWS > VPC > Flow Log > CMDB
- AWS > VPC > Flow Log > Configured
- AWS > VPC > Flow Log > Discovery
- AWS > VPC > Flow Log > Tags
- AWS > VPC > Flow Log > Usage
- AWS > VPC > Network ACL > Active
- AWS > VPC > Network ACL > Approved
- AWS > VPC > Network ACL > CMDB
- AWS > VPC > Network ACL > Configured
- AWS > VPC > Network ACL > Discovery
- AWS > VPC > Network ACL > Tags
- AWS > VPC > Network ACL > Usage
- AWS > VPC > Security Group > Active
- AWS > VPC > Security Group > Approved
- AWS > VPC > Security Group > CMDB
- AWS > VPC > Security Group > Configured
- AWS > VPC > Security Group > Discovery
- AWS > VPC > Security Group > Egress Rules
- AWS > VPC > Security Group > Egress Rules > Approved
- AWS > VPC > Security Group > Ingress Rules
- AWS > VPC > Security Group > Ingress Rules > Approved
- AWS > VPC > Security Group > Tags
- AWS > VPC > Security Group > Usage
- AWS > VPC > Security Group Rule > CMDB
- AWS > VPC > Security Group Rule > Configured
- AWS > VPC > Security Group Rule > Discovery
- AWS > VPC > Security Group Rule > Tags
AWS > VPC > Flow Log > Active
Take an action when an AWS VPC flow log is not active based on theAWS > VPC > Flow Log > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/control/types/flowLogActive
AWS > VPC > Flow Log > Approved
Take an action when an AWS VPC flow log is not approved based on AWS > VPC > Flow Log > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/control/types/flowLogApproved
AWS > VPC > Flow Log > CMDB
Record and synchronize details for the AWS VPC flow log into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Flow Log > Regions
policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)
tmod:@turbot/aws-vpc-security#/control/types/flowLogCmdb
AWS > VPC > Flow Log > Configured
Maintain AWS > VPC > Flow Log configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/control/types/flowLogConfigured
AWS > VPC > Flow Log > Discovery
Discover all AWS VPC flow log resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Flow Log > Regions
policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/aws-vpc-security#/control/types/flowLogDiscovery
AWS > VPC > Flow Log > Tags
Take an action when an AWS VPC flow log tags is not updated based on the AWS > VPC > Flow Log > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > VPC > Flow Log > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/control/types/flowLogTags
AWS > VPC > Flow Log > Usage
The Usage control determines whether the number of AWS VPC flow log resources exceeds the configured usage limit for this region.
You can configure the behavior of this control with the AWS > VPC > Flow Log > Usage
policy, and set the limit with the AWS > VPC > Flow Log > Usage > Limit
policy.
tmod:@turbot/aws-vpc-security#/control/types/flowLogUsage
AWS > VPC > Network ACL > Active
Take an action when an AWS VPC network acl is not active based on theAWS > VPC > Network ACL > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/control/types/networkAclActive
AWS > VPC > Network ACL > Approved
Take an action when an AWS VPC network acl is not approved based on AWS > VPC > Network ACL > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/control/types/networkAclApproved
AWS > VPC > Network ACL > CMDB
Record and synchronize details for the AWS VPC network acl into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Network ACL > Regions
policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)
tmod:@turbot/aws-vpc-security#/control/types/networkAclCmdb
AWS > VPC > Network ACL > Configured
Maintain AWS > VPC > Network ACL configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/control/types/networkAclConfigured
AWS > VPC > Network ACL > Discovery
Discover all AWS VPC network acl resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Network ACL > Regions
policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/aws-vpc-security#/control/types/networkAclDiscovery
AWS > VPC > Network ACL > Tags
Take an action when an AWS VPC network acl tags is not updated based on the AWS > VPC > Network ACL > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > VPC > Network ACL > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/control/types/networkAclTags
AWS > VPC > Network ACL > Usage
The Usage control determines whether the number of AWS VPC network acl resources exceeds the configured usage limit for this region.
You can configure the behavior of this control with the AWS > VPC > Network ACL > Usage
policy, and set the limit with the AWS > VPC > Network ACL > Usage > Limit
policy.
tmod:@turbot/aws-vpc-security#/control/types/networkAclUsage
AWS > VPC > Security Group > Active
Take an action when an AWS VPC security group is not active based on theAWS > VPC > Security Group > Active > *
policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupActive
AWS > VPC > Security Group > Approved
Take an action when an AWS VPC security group is not approved based on AWS > VPC > Security Group > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupApproved
AWS > VPC > Security Group > CMDB
Record and synchronize details for the AWS VPC security group into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions
policy, the CMDB control will delete the resource from the CMDB. (Note: Setting CMDB to Skip will also pause these changes.)
tmod:@turbot/aws-vpc-security#/control/types/securityGroupCmdb
AWS > VPC > Security Group > Configured
Maintain AWS > VPC > Security Group configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/control/types/securityGroupConfigured
AWS > VPC > Security Group > Discovery
Discover all AWS VPC security group resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Security Group > Regions
policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupDiscovery
AWS > VPC > Security Group > Egress Rules
tmod:@turbot/aws-vpc-security#/control/types/securityGroupEgressRules
AWS > VPC > Security Group > Egress Rules > Approved
Configure Security Group Rules checking. This control defines whether to
verify the security group egress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved rules will be
revoked from the security group.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupEgressRulesApproved
AWS > VPC > Security Group > Ingress Rules
tmod:@turbot/aws-vpc-security#/control/types/securityGroupIngressRules
AWS > VPC > Security Group > Ingress Rules > Approved
Configure Security Group Rules checking. This control defines whether to
verify the security group ingress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved rules will be
revoked from the security group.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupIngressRulesApproved
AWS > VPC > Security Group > Tags
Take an action when an AWS VPC security group tags is not updated based on the AWS > VPC > Security Group > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > VPC > Security Group > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupTags
AWS > VPC > Security Group > Usage
The Usage control determines whether the number of AWS VPC security group resources exceeds the configured usage limit for this region.
You can configure the behavior of this control with the AWS > VPC > Security Group > Usage
policy, and set the limit with the AWS > VPC > Security Group > Usage > Limit
policy.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupUsage
AWS > VPC > Security Group Rule > CMDB
Record and synchronize details for the AWS VPC security group rule into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleCmdb
AWS > VPC > Security Group Rule > Configured
Maintain AWS > VPC > Security Group Rule configuration
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleConfigured
AWS > VPC > Security Group Rule > Discovery
Discover all AWS VPC security group rule resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note that Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in AWS > VPC > Security Group > Regions
policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleDiscovery
AWS > VPC > Security Group Rule > Tags
Take an action when an AWS VPC security group rule tags is not updated based on the AWS > VPC > Security Group Rule > Tags > * policies
.
If the resource is not updated with the tags defined in AWS > VPC > Security Group Rule > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/control/types/securityGroupRuleTags