Policy types for @turbot/aws-vpc-security
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-security
- AWS > VPC > Flow Log > Active
- AWS > VPC > Flow Log > Active > Age
- AWS > VPC > Flow Log > Active > Budget
- AWS > VPC > Flow Log > Active > Last Modified
- AWS > VPC > Flow Log > Approved
- AWS > VPC > Flow Log > Approved > Budget
- AWS > VPC > Flow Log > Approved > Custom
- AWS > VPC > Flow Log > Approved > Regions
- AWS > VPC > Flow Log > Approved > Usage
- AWS > VPC > Flow Log > CMDB
- AWS > VPC > Flow Log > Configured
- AWS > VPC > Flow Log > Configured > Claim Precedence
- AWS > VPC > Flow Log > Configured > Source
- AWS > VPC > Flow Log > Regions
- AWS > VPC > Flow Log > Tags
- AWS > VPC > Flow Log > Tags > Template
- AWS > VPC > Flow Log > Usage
- AWS > VPC > Flow Log > Usage > Limit
- AWS > VPC > Network ACL > Active
- AWS > VPC > Network ACL > Active > Age
- AWS > VPC > Network ACL > Active > Last Modified
- AWS > VPC > Network ACL > Approved
- AWS > VPC > Network ACL > Approved > Custom
- AWS > VPC > Network ACL > Approved > Regions
- AWS > VPC > Network ACL > Approved > Usage
- AWS > VPC > Network ACL > CMDB
- AWS > VPC > Network ACL > Configured
- AWS > VPC > Network ACL > Configured > Claim Precedence
- AWS > VPC > Network ACL > Configured > Source
- AWS > VPC > Network ACL > Regions
- AWS > VPC > Network ACL > Tags
- AWS > VPC > Network ACL > Tags > Template
- AWS > VPC > Network ACL > Usage
- AWS > VPC > Network ACL > Usage > Limit
- AWS > VPC > Security Group > Active
- AWS > VPC > Security Group > Active > Age
- AWS > VPC > Security Group > Active > Attached
- AWS > VPC > Security Group > Active > Last Modified
- AWS > VPC > Security Group > Approved
- AWS > VPC > Security Group > Approved > Custom
- AWS > VPC > Security Group > Approved > Regions
- AWS > VPC > Security Group > Approved > Usage
- AWS > VPC > Security Group > CMDB
- AWS > VPC > Security Group > Configured
- AWS > VPC > Security Group > Configured > Claim Precedence
- AWS > VPC > Security Group > Configured > Source
- AWS > VPC > Security Group > Egress Rules
- AWS > VPC > Security Group > Egress Rules > Approved
- AWS > VPC > Security Group > Egress Rules > Approved > CIDR Ranges
- AWS > VPC > Security Group > Egress Rules > Approved > Compiled Rules
- AWS > VPC > Security Group > Egress Rules > Approved > Maximum Port Range
- AWS > VPC > Security Group > Egress Rules > Approved > Minimum Bitmask
- AWS > VPC > Security Group > Egress Rules > Approved > Prohibited Ports
- AWS > VPC > Security Group > Egress Rules > Approved > Rules
- AWS > VPC > Security Group > Ingress Rules
- AWS > VPC > Security Group > Ingress Rules > Approved
- AWS > VPC > Security Group > Ingress Rules > Approved > CIDR Ranges
- AWS > VPC > Security Group > Ingress Rules > Approved > Compiled Rules
- AWS > VPC > Security Group > Ingress Rules > Approved > Maximum Port Range
- AWS > VPC > Security Group > Ingress Rules > Approved > Minimum Bitmask
- AWS > VPC > Security Group > Ingress Rules > Approved > Prohibited Ports
- AWS > VPC > Security Group > Ingress Rules > Approved > Rules
- AWS > VPC > Security Group > Regions
- AWS > VPC > Security Group > Tags
- AWS > VPC > Security Group > Tags > Template
- AWS > VPC > Security Group > Usage
- AWS > VPC > Security Group > Usage > Limit
- AWS > VPC > Security Group Rule > CMDB
- AWS > VPC > Security Group Rule > Configured
- AWS > VPC > Security Group Rule > Configured > Claim Precedence
- AWS > VPC > Security Group Rule > Configured > Source
- AWS > VPC > Security Group Rule > Tags
- AWS > VPC > Security Group Rule > Tags > Template
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-security
The CloudWatch Events event pattern used by the AWS VPC Security module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws-vpc-security#/policy/types/vpcSecurityCustomEventPatterns
{ "type": "array", "items": { "type": "object" }}
AWS > VPC > Flow Log > Active
Determine the action to take when an AWS VPC flow log, based on the AWS > VPC > Flow Log > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > VPC > Flow Log > Active > Age
The age after which the AWS VPC flow log
is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > VPC > Flow Log > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
flowLogs to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > VPC > Flow Log > Active > Last Modified
The number of days since the AWS VPC flow log
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > VPC > Flow Log > Approved
Determine the action to take when an AWS VPC flow log is not approved based on AWS > VPC > Flow Log > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > VPC > Flow Log > Approved > Budget
The policy allows you to set flow logs to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS VPC flow log is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > VPC > Flow Log > Approved > Custom
Determine whether the AWS VPC flow log is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC flow log is not approved, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > VPC > Flow Log > Approved > Regions
A list of AWS regions in which AWS VPC flow logs are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC flow log is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > VPC > Flow Log > Approved > Usage
Determine whether the AWS VPC flow log is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC flow log is not approved, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}
AWS > VPC > Flow Log > CMDB
Configure whether to record and synchronize details for the AWS VPC flow log into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Flow Log > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-security#/policy/types/flowLogCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > VPC > Flow Log > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/policy/types/flowLogConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > VPC > Flow Log > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > VPC > Flow Log > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-security#/policy/types/flowLogConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > VPC > Flow Log > Regions
A list of AWS regions in which AWS VPC flow logs are supported for use.
Any flow logs in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > VPC > Flow Log > Tags
Determine the action to take when an AWS VPC flow log tags are not updated based on the AWS > VPC > Flow Log > Tags > *
policies.
The control ensure AWS VPC flow log tags include tags defined in AWS > VPC > Flow Log > Tags > Template
.
Tags not defined in Flow Log Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > VPC > Flow Log > Tags > Template
The template is used to generate the keys and values for AWS VPC flow log.
Tags not defined in Flow Log Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > VPC > Flow Log > Usage
Configure the number of AWS flow logs that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Flow Log > Usage
policy.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > VPC > Flow Log > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-security#/policy/types/flowLogUsageLimit
{ "type": "integer", "minimum": 0, "default": 2}
AWS > VPC > Network ACL > Active
Determine the action to take when an AWS VPC network acl, based on the AWS > VPC > Network ACL > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > VPC > Network ACL > Active > Age
The age after which the AWS VPC network acl
is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > VPC > Network ACL > Active > Last Modified
The number of days since the AWS VPC network acl
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > VPC > Network ACL > Approved
Determine the action to take when an AWS VPC network acl is not approved based on AWS > VPC > Network ACL > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > VPC > Network ACL > Approved > Custom
Determine whether the AWS VPC network acl is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC network acl is not approved, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > VPC > Network ACL > Approved > Regions
A list of AWS regions in which AWS VPC network acls are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC network acl is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > VPC > Network ACL > Approved > Usage
Determine whether the AWS VPC network acl is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC network acl is not approved, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}
AWS > VPC > Network ACL > CMDB
Configure whether to record and synchronize details for the AWS VPC network acl into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Network ACL > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-security#/policy/types/networkAclCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > VPC > Network ACL > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/policy/types/networkAclConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > VPC > Network ACL > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > VPC > Network ACL > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-security#/policy/types/networkAclConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > VPC > Network ACL > Regions
A list of AWS regions in which AWS VPC network acls are supported for use.
Any network acls in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > VPC > Network ACL > Tags
Determine the action to take when an AWS VPC network acl tags are not updated based on the AWS > VPC > Network ACL > Tags > *
policies.
The control ensure AWS VPC network acl tags include tags defined in AWS > VPC > Network ACL > Tags > Template
.
Tags not defined in Network ACL Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > VPC > Network ACL > Tags > Template
The template is used to generate the keys and values for AWS VPC network acl.
Tags not defined in Network ACL Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > VPC > Network ACL > Usage
Configure the number of AWS network acls that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Network ACL > Usage
policy.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > VPC > Network ACL > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-security#/policy/types/networkAclUsageLimit
{ "type": "integer", "minimum": 0, "default": 1000}
AWS > VPC > Security Group > Active
Determine the action to take when an AWS VPC security group, based on the AWS > VPC > Security Group > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > VPC > Security Group > Active > Age
The age after which the AWS VPC security group
is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > VPC > Security Group > Active > Attached
Determine whether the Security Group is active, based on whether it is attached to any other resource types.
The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Security Group > Active > *
), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActiveAttached
[ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached"]
{ "type": "string", "enum": [ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached" ], "example": [ "Skip" ], "default": "Skip"}
AWS > VPC > Security Group > Active > Last Modified
The number of days since the AWS VPC security group
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > VPC > Security Group > Approved
Determine the action to take when an AWS VPC security group is not approved based on AWS > VPC > Security Group > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > VPC > Security Group > Approved > Custom
Determine whether the AWS VPC security group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC security group is not approved, it will be subject to the action specified in the AWS > VPC > Security Group > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > VPC > Security Group > Approved > Regions
A list of AWS regions in which AWS VPC security groups are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC security group is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Security Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > VPC > Security Group > Approved > Usage
Determine whether the AWS VPC security group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC security group is not approved, it will be subject to the action specified in the AWS > VPC > Security Group > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}
AWS > VPC > Security Group > CMDB
Configure whether to record and synchronize details for the AWS VPC security group into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > VPC > Security Group > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > VPC > Security Group > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > VPC > Security Group > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > VPC > Security Group > Egress Rules
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRules
AWS > VPC > Security Group > Egress Rules > Approved
Configure Security Group Egress Rule checking. This policy defines whether
to verify the security group egress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved rules will be
revoked from the security group.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > VPC > Security Group > Egress Rules > Approved > CIDR Ranges
Custom Security Group egress rules may only be added within the specified
CIDR address ranges. Acceptable values are valid CIDR blocks. If this list
is empty, no CIDR address ranges are permitted.
Applies to non-Turbot managed Security Groups.
Examples:
- 10.0.0.0/8
- 172.16.0.0/12
- ::/0
- 2600:1f18:2368:f300::/56
- 2001:db8:1234:1a00:3304:8879:34cf:4071
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedCidrRanges
{ "type": "array", "items": { "anyOf": [ { "description": "An IPv4 CIDR block.", "type": "string", "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$", "tests": [ { "description": "all zero octects and prefix.", "input": "0.0.0.0/0" }, { "description": "invalid - missing first octect", "input": "0.0.0/0", "expected": false }, { "description": "invalid - missing prefix", "input": "0.0.0.0/", "expected": false }, { "description": "invalid - prefix too many digits", "input": "0.0.0.0/123", "expected": false }, { "description": "invalid - octect too many digits", "input": "1234.0.0.0/0", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/cidrBlock", "modUri": "tmod:@turbot/aws" } }, { "type": "string", "pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$", "tests": [ { "input": "::/0" }, { "input": "2600:1f18:2368:f300::/56" }, { "input": "2001:db8:1234:1a00:3304:8879:34cf:4071" }, { "description": "invalid - ipv4 provided", "input": "10.0.0.1/8", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/ipv6CidrBlock", "modUri": "tmod:@turbot/aws" } } ] }, "default": [ "0.0.0.0/0", "::/0" ]}
AWS > VPC > Security Group > Egress Rules > Approved > Compiled Rules
A read-only Object Control List
(OCL) with a list of compiled
filter rules to approve or reject security group rules.
This policy is generated by Turbot.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedCompiledRules
{ "type": "string"}
AWS > VPC > Security Group > Egress Rules > Approved > Maximum Port Range
The maximum number of ports that may be opened by any single egress rule
in a security group.
Examples:
- 1 - Allow a single port only (e.g. 8080)
- 4 - Allow up to 4 ports (e.g. 8080-8083)
- -1 - Allow unlimited number of ports, including -1 for all.
Applies to non-Turbot managed Security Groups.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedMaximumPortRange
{ "type": "integer", "minimum": -1, "maximum": 65535, "default": -1}
AWS > VPC > Security Group > Egress Rules > Approved > Minimum Bitmask
Defines the smallest allowed bitmask (largest range of IP addresses) that
can be granted access in any single custom security group egress rule.
Examples:
- IPv4
- 32 - Restrict rules to a single IP address
- 24 - Restrict rules to a /24 CIDR block
- 0 - Unlimited size
- IPv6
- 256 - Restrict rules to a single IP address
- 32 - Restrict rules to a /32 CIDR block
Applies to non-Turbot managed Security Groups.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedMinimumBitmask
{ "type": "integer", "minimum": 0, "maximum": 256, "default": 0}
AWS > VPC > Security Group > Egress Rules > Approved > Prohibited Ports
A YAML list of ports that are prohibited and may not be used for egress
in custom security groups. For example, 21 might be prohibited to prevent
the use of FTP. This list is also applied to ICMP rules, so should be
checked against valid ICMP numbers.
Applies to non-Turbot managed Security Groups.
Examples:
- 21 # FTP
- 25 # SMTP
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedProhibitedPorts
{ "type": "array", "items": { "type": "integer" }, "default": []}
AWS > VPC > Security Group > Egress Rules > Approved > Rules
An Object Control List (OCL)
with a list of filter rules to approve or reject security group rules.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Turbot rules will appear first in the list of compiled
rules.
Examples:
<br /> Allow HTTP and HTTPS rules for RFC1918 private space<br /> APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /> APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Allow all rules from security groups in this account<br /> APPROVE $.UserIdGroupPairs.+.UserId:"969297701313"<br /><br /> Reject any rule from 0.0.0.0/0<br /> REJECT $.turbot.cidr:0.0.0.0/0<br />
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedRules
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > VPC > Security Group > Ingress Rules
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRules
AWS > VPC > Security Group > Ingress Rules > Approved
Configure Security Group Ingress Rule checking. This policy defines whether
to verify the security group ingress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved rules will be
revoked from the security group.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > VPC > Security Group > Ingress Rules > Approved > CIDR Ranges
Custom Security Group ingress rules may only be added within the specified
CIDR address ranges. Acceptable values are valid CIDR blocks. If this list
is empty, no CIDR address ranges are permitted.
Applies to non-Turbot managed Security Groups.
Examples:
- 10.0.0.0/8
- 172.16.0.0/12
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedCidrRanges
{ "type": "array", "items": { "anyOf": [ { "description": "An IPv4 CIDR block.", "type": "string", "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$", "tests": [ { "description": "all zero octects and prefix.", "input": "0.0.0.0/0" }, { "description": "invalid - missing first octect", "input": "0.0.0/0", "expected": false }, { "description": "invalid - missing prefix", "input": "0.0.0.0/", "expected": false }, { "description": "invalid - prefix too many digits", "input": "0.0.0.0/123", "expected": false }, { "description": "invalid - octect too many digits", "input": "1234.0.0.0/0", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/cidrBlock", "modUri": "tmod:@turbot/aws" } }, { "type": "string", "pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$", "tests": [ { "input": "::/0" }, { "input": "2600:1f18:2368:f300::/56" }, { "input": "2001:db8:1234:1a00:3304:8879:34cf:4071" }, { "description": "invalid - ipv4 provided", "input": "10.0.0.1/8", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/ipv6CidrBlock", "modUri": "tmod:@turbot/aws" } } ] }, "default": [ "0.0.0.0/0", "::/0" ]}
AWS > VPC > Security Group > Ingress Rules > Approved > Compiled Rules
A read-only Object Control List
(OCL) with a list of compiled
filter rules to approve or reject security group rules.
This policy is generated by Turbot.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedCompiledRules
{ "type": "string"}
AWS > VPC > Security Group > Ingress Rules > Approved > Maximum Port Range
The maximum number of ports that may be opened by any single ingress rule
in a security group.
Examples:
1 - Allow a single port only (e.g. 8080)
4 - Allow up to 4 ports (e.g. 8080-8083)
-1 - Allow unlimited number of ports, including -1 for all.
Applies to non-Turbot managed Security Groups.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedMaximumPortRange
{ "type": "integer", "minimum": -1, "maximum": 65535, "default": -1}
AWS > VPC > Security Group > Ingress Rules > Approved > Minimum Bitmask
Defines the smallest allowed bitmask (largest range of IP addresses) that
can be granted access in any single custom security group ingress rule.
Examples:
- IPv4
- 32 - Restrict rules to a single IP address
- 24 - Restrict rules to a /24 CIDR block
- 0 - Unlimited size
- IPv6
- 256 - Restrict rules to a single IP address
- 32 - Restrict rules to a /32 CIDR block
Applies to non-Turbot managed Security Groups.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedMinimumBitmask
{ "type": "integer", "minimum": 0, "maximum": 256, "default": 0}
AWS > VPC > Security Group > Ingress Rules > Approved > Prohibited Ports
A YAML list of ports that are prohibited and may not be used for ingress
in custom security groups. For example, 21 might be prohibited to prevent
the use of FTP. This list is also applied to ICMP rules, so should be
checked against valid ICMP numbers.
Applies to non-Turbot managed Security Groups.
Examples:
- 21 # FTP
- 25 # SMTP
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedProhibitedPorts
{ "type": "array", "items": { "type": "integer" }, "default": []}
AWS > VPC > Security Group > Ingress Rules > Approved > Rules
An Object Control List (OCL)
with a list of filter rules to approve or reject security group rules.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Turbot rules will appear first in the list of compiled
rules.
Examples:
<br /> Allow HTTP and HTTPS rules for RFC1918 private space<br /> APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /> APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Allow all rules from security groups in this account<br /> APPROVE $.UserIdGroupPairs.+.UserId:"969297701313"<br /><br /> Reject any rule from 0.0.0.0/0<br /> REJECT $.turbot.cidr:0.0.0.0/0<br />
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > VPC > Security Group > Regions
A list of AWS regions in which AWS VPC security groups are supported for use.
Any security groups in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > VPC > Security Group > Tags
Determine the action to take when an AWS VPC security group tags are not updated based on the AWS > VPC > Security Group > Tags > *
policies.
The control ensure AWS VPC security group tags include tags defined in AWS > VPC > Security Group > Tags > Template
.
Tags not defined in Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > VPC > Security Group > Tags > Template
The template is used to generate the keys and values for AWS VPC security group.
Tags not defined in Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > VPC > Security Group > Usage
Configure the number of AWS security groups that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Security Group > Usage
policy.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > VPC > Security Group > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupUsageLimit
{ "type": "integer", "minimum": 0, "default": 2500}
AWS > VPC > Security Group Rule > CMDB
Configure whether to record and synchronize details for the AWS VPC security group rules into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > VPC > Security Group Rule > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > VPC > Security Group Rule > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > VPC > Security Group Rule > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > VPC > Security Group Rule > Tags
Determine the action to take when an AWS VPC security group rule tags are not updated based on the AWS > VPC > Security Group Rule > Tags > *
policies.
The control ensure AWS VPC security group rule tags include tags defined in AWS > VPC > Security Group Rule > Tags > Template
.
Tags not defined in Security Group Rule Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > VPC > Security Group Rule > Tags > Template
The template is used to generate the keys and values for AWS VPC security group rule.
Tags not defined in Security Group Rule Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"