Policy types for @turbot/aws-vpc-security
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-security
- AWS > VPC > Flow Log > Active
- AWS > VPC > Flow Log > Active > Age
- AWS > VPC > Flow Log > Active > Budget
- AWS > VPC > Flow Log > Active > Last Modified
- AWS > VPC > Flow Log > Approved
- AWS > VPC > Flow Log > Approved > Budget
- AWS > VPC > Flow Log > Approved > Custom
- AWS > VPC > Flow Log > Approved > Regions
- AWS > VPC > Flow Log > Approved > Usage
- AWS > VPC > Flow Log > CMDB
- AWS > VPC > Flow Log > Configured
- AWS > VPC > Flow Log > Configured > Claim Precedence
- AWS > VPC > Flow Log > Configured > Source
- AWS > VPC > Flow Log > Regions
- AWS > VPC > Flow Log > Tags
- AWS > VPC > Flow Log > Tags > Template
- AWS > VPC > Flow Log > Usage
- AWS > VPC > Flow Log > Usage > Limit
- AWS > VPC > Network ACL > Active
- AWS > VPC > Network ACL > Active > Age
- AWS > VPC > Network ACL > Active > Last Modified
- AWS > VPC > Network ACL > Approved
- AWS > VPC > Network ACL > Approved > Custom
- AWS > VPC > Network ACL > Approved > Regions
- AWS > VPC > Network ACL > Approved > Usage
- AWS > VPC > Network ACL > CMDB
- AWS > VPC > Network ACL > Configured
- AWS > VPC > Network ACL > Configured > Claim Precedence
- AWS > VPC > Network ACL > Configured > Source
- AWS > VPC > Network ACL > Regions
- AWS > VPC > Network ACL > Tags
- AWS > VPC > Network ACL > Tags > Template
- AWS > VPC > Network ACL > Usage
- AWS > VPC > Network ACL > Usage > Limit
- AWS > VPC > Security Group > Active
- AWS > VPC > Security Group > Active > Age
- AWS > VPC > Security Group > Active > Attached
- AWS > VPC > Security Group > Active > Last Modified
- AWS > VPC > Security Group > Approved
- AWS > VPC > Security Group > Approved > Custom
- AWS > VPC > Security Group > Approved > Regions
- AWS > VPC > Security Group > Approved > Usage
- AWS > VPC > Security Group > CMDB
- AWS > VPC > Security Group > Configured
- AWS > VPC > Security Group > Configured > Claim Precedence
- AWS > VPC > Security Group > Configured > Source
- AWS > VPC > Security Group > Egress Rules
- AWS > VPC > Security Group > Egress Rules > Approved
- AWS > VPC > Security Group > Egress Rules > Approved > CIDR Ranges
- AWS > VPC > Security Group > Egress Rules > Approved > Compiled Rules
- AWS > VPC > Security Group > Egress Rules > Approved > Maximum Port Range
- AWS > VPC > Security Group > Egress Rules > Approved > Minimum Bitmask
- AWS > VPC > Security Group > Egress Rules > Approved > Prohibited Ports
- AWS > VPC > Security Group > Egress Rules > Approved > Rules
- AWS > VPC > Security Group > Ingress Rules
- AWS > VPC > Security Group > Ingress Rules > Approved
- AWS > VPC > Security Group > Ingress Rules > Approved > CIDR Ranges
- AWS > VPC > Security Group > Ingress Rules > Approved > Compiled Rules
- AWS > VPC > Security Group > Ingress Rules > Approved > Maximum Port Range
- AWS > VPC > Security Group > Ingress Rules > Approved > Minimum Bitmask
- AWS > VPC > Security Group > Ingress Rules > Approved > Prohibited Ports
- AWS > VPC > Security Group > Ingress Rules > Approved > Rules
- AWS > VPC > Security Group > Regions
- AWS > VPC > Security Group > Tags
- AWS > VPC > Security Group > Tags > Template
- AWS > VPC > Security Group > Usage
- AWS > VPC > Security Group > Usage > Limit
- AWS > VPC > Security Group Rule > CMDB
- AWS > VPC > Security Group Rule > Configured
- AWS > VPC > Security Group Rule > Configured > Claim Precedence
- AWS > VPC > Security Group Rule > Configured > Source
- AWS > VPC > Security Group Rule > Tags
- AWS > VPC > Security Group Rule > Tags > Template
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-security
The CloudWatch Events event pattern used by the AWS VPC Security module to specify\nwhich events to forward to the Turbot Event Handlers.\n
{ "type": "array", "items": { "type": "object" }}AWS > VPC > Flow Log > Active
Determine the action to take when an AWS VPC flow log, based on the AWS > VPC > Flow Log > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Flow Log > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Flow Log > Active > Age
The age after which the AWS VPC flow log\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Flow Log > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Flow Log > Active > Budget
The impact of the budget state on the active control. This policy allows you to force\nflowLogs to inactive based on the current budget state, as reflected in\nAWS > Account > Budget > State\n\nThe Active control determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated compliance\nenvironment, it's common to end up with a wide range of alarms that are difficult\nand time consuming to clear. The Active control brings automated, well-defined\ncontrol to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Flow Log > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Flow Log > Active > Last Modified
The number of days since the AWS VPC flow log\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Flow Log > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Flow Log > Approved
Determine the action to take when an AWS VPC flow log is not approved based on AWS > VPC > Flow Log > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Flow Log > Approved > Budget
The policy allows you to set flow logs to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State\n\nThis policy will be evaluated by the Approved control. If an AWS VPC flow log is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.\n\nSee Approved for more information.\n
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}AWS > VPC > Flow Log > Approved > Custom
Determine whether the AWS VPC flow log is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS VPC flow log is not approved, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Flow Log > Approved > Regions
A list of AWS regions in which AWS VPC flow logs are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS VPC flow log is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Flow Log > Approved > Usage
Determine whether the AWS VPC flow log is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS VPC flow log is not approved, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Flow Log > CMDB
Configure whether to record and synchronize details for the AWS VPC flow log into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Flow Log > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Flow Log > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Flow Log > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Flow Log > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Flow Log > Regions
A list of AWS regions in which AWS VPC flow logs are supported for use.\n\nAny flow logs in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Flow Log > Tags
Determine the action to take when an AWS VPC flow log tags are not updated based on the AWS > VPC > Flow Log > Tags > * policies.\n\nThe control ensure AWS VPC flow log tags include tags defined in AWS > VPC > Flow Log > Tags > Template.\n\nTags not defined in Flow Log Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Flow Log > Tags > Template
The template is used to generate the keys and values for AWS VPC flow log.\n\nTags not defined in Flow Log Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Flow Log > Usage
Configure the number of AWS flow logs that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > > Flow Log > Usage policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Flow Log > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 2}AWS > VPC > Network ACL > Active
Determine the action to take when an AWS VPC network acl, based on the AWS > VPC > Network ACL > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Network ACL > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Network ACL > Active > Age
The age after which the AWS VPC network acl\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Network ACL > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Network ACL > Active > Last Modified
The number of days since the AWS VPC network acl\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Network ACL > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Network ACL > Approved
Determine the action to take when an AWS VPC network acl is not approved based on AWS > VPC > Network ACL > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Network ACL > Approved > Custom
Determine whether the AWS VPC network acl is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS VPC network acl is not approved, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Network ACL > Approved > Regions
A list of AWS regions in which AWS VPC network acls are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS VPC network acl is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Network ACL > Approved > Usage
Determine whether the AWS VPC network acl is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS VPC network acl is not approved, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Network ACL > CMDB
Configure whether to record and synchronize details for the AWS VPC network acl into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Network ACL > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Network ACL > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Network ACL > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Network ACL > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Network ACL > Regions
A list of AWS regions in which AWS VPC network acls are supported for use.\n\nAny network acls in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Network ACL > Tags
Determine the action to take when an AWS VPC network acl tags are not updated based on the AWS > VPC > Network ACL > Tags > * policies.\n\nThe control ensure AWS VPC network acl tags include tags defined in AWS > VPC > Network ACL > Tags > Template.\n\nTags not defined in Network ACL Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Network ACL > Tags > Template
The template is used to generate the keys and values for AWS VPC network acl.\n\nTags not defined in Network ACL Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Network ACL > Usage
Configure the number of AWS network acls that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > > Network ACL > Usage policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Network ACL > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 1000}AWS > VPC > Security Group > Active
Determine the action to take when an AWS VPC security group, based on the AWS > VPC > Security Group > Active > * policies.\n\nThe control determines whether the resource is in active use, and if not,\nhas the ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Security Group > Active > *), raises an alarm, and takes the defined enforcement\naction. Each Active sub-policy can calculate a status of active, inactive\nor skipped. Generally, if the resource appears to be Active for any reason\nit will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered\nUnapproved.\n\nSee Active for more information.\n
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Security Group > Active > Age
The age after which the AWS VPC security group\nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Security Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Security Group > Active > Attached
Determine whether the Security Group is active, based on whether it is attached to any other resource types.\n\nThe Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the resource (AWS > VPC > Security Group > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.\n
[ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached"]{ "type": "string", "enum": [ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Security Group > Active > Last Modified
The number of days since the AWS VPC security group\nwas last modified before it is considered inactive.\n\nThe Active\ncontrol determines whether the resource is in active use, and if not, has\nthe ability to delete / cleanup the resource. When running an automated\ncompliance environment, it's common to end up with a wide range of alarms\nthat are difficult and time consuming to clear. The Active control brings\nautomated, well-defined control to this process.\n\nThe Active control checks the status of all defined Active policies for the\nresource (AWS > VPC > Security Group > Active > *),\nraises an alarm, and takes the defined enforcement action. Each Active\nsub-policy can calculate a status of active, inactive or skipped. Generally,\nif the resource appears to be Active for any reason it will be considered Active.\nNote the contrast with Approved, where if the resource appears to be Unapproved\nfor any reason it will be considered Unapproved.\n\nSee Active for more information.\n
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Security Group > Approved
Determine the action to take when an AWS VPC security group is not approved based on AWS > VPC > Security Group > Approved > * policies.\n\nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.\n\nFor any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.\n\nSee Approved for more information.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Security Group > Approved > Custom
Determine whether the AWS VPC security group is allowed to exist.\nThis policy will be evaluated by the Approved control. If an AWS VPC security group is not approved, it will be subject to the action specified in the AWS > VPC > Security Group > Approved policy.\nSee Approved for more information.\n\nNote: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.\n
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Security Group > Approved > Regions
A list of AWS regions in which AWS VPC security groups are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and '?' wildcard characters.\n\nThis policy will be evaluated by the Approved control. If an AWS VPC security group is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Security Group > Approved policy.\n\nSee Approved for more information.\n
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Security Group > Approved > Usage
Determine whether the AWS VPC security group is allowed to exist.\n\nThis policy will be evaluated by the Approved control. If an AWS VPC security group is not approved, it will be subject to the action specified in the AWS > VPC > Security Group > Approved policy.\n\nSee Approved for more information.\n
[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Security Group > CMDB
Configure whether to record and synchronize details for the AWS VPC security group into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.\nAll policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Security Group > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Security Group > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Security Group > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Security Group > Egress Rules
AWS > VPC > Security Group > Egress Rules > Approved
Configure Security Group Egress Rule checking. This policy defines whether\nto verify the security group egress rules are approved, as well as the\nsubsequent action to take on unapproved items. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then\nevaluated.\n\nIf set to Enforce: Delete unapproved, any unapproved rules will be\nrevoked from the security group.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Security Group > Egress Rules > Approved > CIDR Ranges
Custom Security Group egress rules may only be added within the specified\nCIDR address ranges. Acceptable values are valid CIDR blocks. If this list\nis empty, no CIDR address ranges are permitted.\n\nApplies to non-Turbot managed Security Groups.\n\nExamples:\n - 10.0.0.0/8\n - 172.16.0.0/12\n - ::/0\n - 2600:1f18:2368:f300::/56\n - 2001:db8:1234:1a00:3304:8879:34cf:4071\n
{ "type": "array", "items": { "anyOf": [ { "description": "An IPv4 CIDR block.", "type": "string", "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$", "tests": [ { "description": "all zero octects and prefix.", "input": "0.0.0.0/0" }, { "description": "invalid - missing first octect", "input": "0.0.0/0", "expected": false }, { "description": "invalid - missing prefix", "input": "0.0.0.0/", "expected": false }, { "description": "invalid - prefix too many digits", "input": "0.0.0.0/123", "expected": false }, { "description": "invalid - octect too many digits", "input": "1234.0.0.0/0", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/cidrBlock", "modUri": "tmod:@turbot/aws" } }, { "type": "string", "pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$", "tests": [ { "input": "::/0" }, { "input": "2600:1f18:2368:f300::/56" }, { "input": "2001:db8:1234:1a00:3304:8879:34cf:4071" }, { "description": "invalid - ipv4 provided", "input": "10.0.0.1/8", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/ipv6CidrBlock", "modUri": "tmod:@turbot/aws" } } ] }, "default": [ "0.0.0.0/0", "::/0" ]}AWS > VPC > Security Group > Egress Rules > Approved > Compiled Rules
A read-only Object Control List\n(OCL) with a list of compiled\nfilter rules to approve or reject security group rules.\n\nThis policy is generated by Turbot.\n
{ "type": "string"}AWS > VPC > Security Group > Egress Rules > Approved > Maximum Port Range
The maximum number of ports that may be opened by any single egress rule\nin a security group.\n\nExamples:\n - 1 - Allow a single port only (e.g. 8080)\n - 4 - Allow up to 4 ports (e.g. 8080-8083)\n - -1 - Allow unlimited number of ports, including -1 for all.\n\nApplies to non-Turbot managed Security Groups.\n
{ "type": "integer", "minimum": -1, "maximum": 65535, "default": -1}AWS > VPC > Security Group > Egress Rules > Approved > Minimum Bitmask
Defines the smallest allowed bitmask (largest range of IP addresses) that\ncan be granted access in any single custom security group egress rule.\n\nExamples:\n - IPv4\n - 32 - Restrict rules to a single IP address\n - 24 - Restrict rules to a /24 CIDR block\n - 0 - Unlimited size\n - IPv6\n - 256 - Restrict rules to a single IP address\n - 32 - Restrict rules to a /32 CIDR block\n\nApplies to non-Turbot managed Security Groups.\n
{ "type": "integer", "minimum": 0, "maximum": 256, "default": 0}AWS > VPC > Security Group > Egress Rules > Approved > Prohibited Ports
A YAML list of ports that are prohibited and may not be used for egress\nin custom security groups. For example, 21 might be prohibited to prevent\nthe use of FTP. This list is also applied to ICMP rules, so should be\nchecked against valid ICMP numbers.\n\nApplies to non-Turbot managed Security Groups.\n\nExamples:\n - 21 # FTP\n - 25 # SMTP\n
{ "type": "array", "items": { "type": "integer" }, "default": []}AWS > VPC > Security Group > Egress Rules > Approved > Rules
An Object Control List (OCL)\nwith a list of filter rules to approve or reject security group rules.\n\nNote that the Approved control does not operate directly from this policy,\nbut from the Approved > Compiled Rules. The rules are processed in order,\nand any built-in Turbot rules will appear first in the list of compiled\nrules.\n\nExamples:\n \n Allow HTTP and HTTPS rules for RFC1918 private space\n APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n\n Allow all rules from security groups in this account\n APPROVE $.UserIdGroupPairs.+.UserId:"969297701313"\n\n Reject any rule from 0.0.0.0/0\n REJECT $.turbot.cidr:0.0.0.0/0\n \n
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}AWS > VPC > Security Group > Ingress Rules
AWS > VPC > Security Group > Ingress Rules > Approved
Configure Security Group Ingress Rule checking. This policy defines whether\nto verify the security group ingress rules are approved, as well as the\nsubsequent action to take on unapproved items. Rules for all Approved\npolicies will be compiled in Approved > Compiled Rules and then\nevaluated.\n\nIf set to Enforce: Delete unapproved, any unapproved rules will be\nrevoked from the security group.\n
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Security Group > Ingress Rules > Approved > CIDR Ranges
Custom Security Group ingress rules may only be added within the specified\nCIDR address ranges. Acceptable values are valid CIDR blocks. If this list\nis empty, no CIDR address ranges are permitted.\n\nApplies to non-Turbot managed Security Groups.\n\nExamples:\n - 10.0.0.0/8\n - 172.16.0.0/12\n
{ "type": "array", "items": { "anyOf": [ { "description": "An IPv4 CIDR block.", "type": "string", "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$", "tests": [ { "description": "all zero octects and prefix.", "input": "0.0.0.0/0" }, { "description": "invalid - missing first octect", "input": "0.0.0/0", "expected": false }, { "description": "invalid - missing prefix", "input": "0.0.0.0/", "expected": false }, { "description": "invalid - prefix too many digits", "input": "0.0.0.0/123", "expected": false }, { "description": "invalid - octect too many digits", "input": "1234.0.0.0/0", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/cidrBlock", "modUri": "tmod:@turbot/aws" } }, { "type": "string", "pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$", "tests": [ { "input": "::/0" }, { "input": "2600:1f18:2368:f300::/56" }, { "input": "2001:db8:1234:1a00:3304:8879:34cf:4071" }, { "description": "invalid - ipv4 provided", "input": "10.0.0.1/8", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/ipv6CidrBlock", "modUri": "tmod:@turbot/aws" } } ] }, "default": [ "0.0.0.0/0", "::/0" ]}AWS > VPC > Security Group > Ingress Rules > Approved > Compiled Rules
A read-only Object Control List\n(OCL) with a list of compiled\nfilter rules to approve or reject security group rules.\n\nThis policy is generated by Turbot.\n
{ "type": "string"}AWS > VPC > Security Group > Ingress Rules > Approved > Maximum Port Range
The maximum number of ports that may be opened by any single ingress rule\nin a security group.\n\nExamples:\n 1 - Allow a single port only (e.g. 8080)\n 4 - Allow up to 4 ports (e.g. 8080-8083)\n -1 - Allow unlimited number of ports, including -1 for all.\n\nApplies to non-Turbot managed Security Groups.\n
{ "type": "integer", "minimum": -1, "maximum": 65535, "default": -1}AWS > VPC > Security Group > Ingress Rules > Approved > Minimum Bitmask
Defines the smallest allowed bitmask (largest range of IP addresses) that\ncan be granted access in any single custom security group ingress rule.\n\nExamples:\n - IPv4\n - 32 - Restrict rules to a single IP address\n - 24 - Restrict rules to a /24 CIDR block\n - 0 - Unlimited size\n - IPv6\n - 256 - Restrict rules to a single IP address\n - 32 - Restrict rules to a /32 CIDR block\n\nApplies to non-Turbot managed Security Groups.\n
{ "type": "integer", "minimum": 0, "maximum": 256, "default": 0}AWS > VPC > Security Group > Ingress Rules > Approved > Prohibited Ports
A YAML list of ports that are prohibited and may not be used for ingress\nin custom security groups. For example, 21 might be prohibited to prevent\nthe use of FTP. This list is also applied to ICMP rules, so should be\nchecked against valid ICMP numbers.\n\nApplies to non-Turbot managed Security Groups.\n\nExamples:\n - 21 # FTP\n - 25 # SMTP\n
{ "type": "array", "items": { "type": "integer" }, "default": []}AWS > VPC > Security Group > Ingress Rules > Approved > Rules
An Object Control List (OCL)\nwith a list of filter rules to approve or reject security group rules.\n\nNote that the Approved control does not operate directly from this policy,\nbut from the Approved > Compiled Rules. The rules are processed in order,\nand any built-in Turbot rules will appear first in the list of compiled\nrules.\n\nExamples:\n \n Allow HTTP and HTTPS rules for RFC1918 private space\n APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n\n Allow all rules from security groups in this account\n APPROVE $.UserIdGroupPairs.+.UserId:"969297701313"\n\n Reject any rule from 0.0.0.0/0\n REJECT $.turbot.cidr:0.0.0.0/0\n \n
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}AWS > VPC > Security Group > Regions
A list of AWS regions in which AWS VPC security groups are supported for use.\n\nAny security groups in a region not listed here will not be recorded in CMDB.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Security Group > Tags
Determine the action to take when an AWS VPC security group tags are not updated based on the AWS > VPC > Security Group > Tags > * policies.\n\nThe control ensure AWS VPC security group tags include tags defined in AWS > VPC > Security Group > Tags > Template.\n\nTags not defined in Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Security Group > Tags > Template
The template is used to generate the keys and values for AWS VPC security group.\n\nTags not defined in Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Security Group > Usage
Configure the number of AWS security groups that can be used for this region and the current consumption against the limit.\n\nYou can configure the behavior of the control with this AWS > > Security Group > Usage policy.\n
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Security Group > Usage > Limit
Maximum number of items that can be created for this region.
{ "type": "integer", "minimum": 0, "default": 2500}AWS > VPC > Security Group Rule > CMDB
Configure whether to record and synchronize details for the AWS VPC security group rules into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n\nCMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.\n\n(Note: Setting CMDB to "Skip" will also pause these changes.)\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Security Group Rule > Configured
Determine how to configure this resource.\n\nNote: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored\nand inherit from the stack that owns it\n
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Security Group Rule > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.\nA stack cannot claim a resource if it is already claimed by another\nstack at a higher level of precedence.\n
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Security Group Rule > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Security Group Rule > Tags
Determine the action to take when an AWS VPC security group rule tags are not updated based on the AWS > VPC > Security Group Rule > Tags > * policies.\n\nThe control ensure AWS VPC security group rule tags include tags defined in AWS > VPC > Security Group Rule > Tags > Template.\n\nTags not defined in Security Group Rule Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Security Group Rule > Tags > Template
The template is used to generate the keys and values for AWS VPC security group rule.\n\nTags not defined in Security Group Rule Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.\n\nSee Tags for more information.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"