Product logo
DocsBlogPricing

Policy types for @turbot/aws-vpc-security

AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-security

The CloudWatch Events event pattern used by the AWS VPC Security module to specify
which events to forward to the Guardrails Event Handlers.

URI
tmod:@turbot/aws-vpc-security#/policy/types/vpcSecurityCustomEventPatterns
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "object"
  }
}

AWS > VPC > Flow Log > Active

Determine the action to take when an AWS VPC flow log, based on the AWS > VPC > Flow Log > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Active > Age

The age after which the AWS VPC flow log
is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Active > Budget

The impact of the budget state on the active control. This policy allows you to force
flowLogs to inactive based on the current budget state, as reflected in
AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActiveBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Active > Last Modified

The number of days since the AWS VPC flow log
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Flow Log > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Approved

Determine the action to take when an AWS VPC flow log is not approved based on AWS > VPC > Flow Log > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Approved > Budget

The policy allows you to set flow logs to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC flow log is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Approved > Custom

Determine whether the AWS VPC flow log is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC flow log is not approved, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Approved > Regions

A list of AWS regions in which AWS VPC flow logs are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC flow log is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Flow Log > Approved > Usage

Determine whether the AWS VPC flow log is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC flow log is not approved, it will be subject to the action specified in the AWS > VPC > Flow Log > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Flow Log > CMDB

Configure whether to record and synchronize details for the AWS VPC flow log into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Flow Log > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Flow Log > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Flow Log > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Flow Log > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Flow Log > Regions

A list of AWS regions in which AWS VPC flow logs are supported for use.

Any flow logs in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Flow Log > Tags

Determine the action to take when an AWS VPC flow log tags are not updated based on the AWS > VPC > Flow Log > Tags > * policies.

The control ensure AWS VPC flow log tags include tags defined in AWS > VPC > Flow Log > Tags > Template.

Tags not defined in Flow Log Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Tags > Template

The template is used to generate the keys and values for AWS VPC flow log.

Tags not defined in Flow Log Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Flow Log > Usage

Configure the number of AWS flow logs that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Flow Log > Usage policy.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Flow Log > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-security#/policy/types/flowLogUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 2
}

AWS > VPC > Network ACL > Active

Determine the action to take when an AWS VPC network acl, based on the AWS > VPC > Network ACL > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Network ACL > Active > Age

The age after which the AWS VPC network acl
is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Network ACL > Active > Last Modified

The number of days since the AWS VPC network acl
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Network ACL > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Network ACL > Approved

Determine the action to take when an AWS VPC network acl is not approved based on AWS > VPC > Network ACL > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Network ACL > Approved > Custom

Determine whether the AWS VPC network acl is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC network acl is not approved, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Network ACL > Approved > Regions

A list of AWS regions in which AWS VPC network acls are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC network acl is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Network ACL > Approved > Usage

Determine whether the AWS VPC network acl is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC network acl is not approved, it will be subject to the action specified in the AWS > VPC > Network ACL > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Network ACL > CMDB

Configure whether to record and synchronize details for the AWS VPC network acl into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Network ACL > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Network ACL > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Network ACL > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Network ACL > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Network ACL > Regions

A list of AWS regions in which AWS VPC network acls are supported for use.

Any network acls in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Network ACL > Tags

Determine the action to take when an AWS VPC network acl tags are not updated based on the AWS > VPC > Network ACL > Tags > * policies.

The control ensure AWS VPC network acl tags include tags defined in AWS > VPC > Network ACL > Tags > Template.

Tags not defined in Network ACL Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Network ACL > Tags > Template

The template is used to generate the keys and values for AWS VPC network acl.

Tags not defined in Network ACL Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Network ACL > Usage

Configure the number of AWS network acls that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Network ACL > Usage policy.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Network ACL > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-security#/policy/types/networkAclUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 1000
}

AWS > VPC > Security Group > Active

Determine the action to take when an AWS VPC security group, based on the AWS > VPC > Security Group > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Active > Age

The age after which the AWS VPC security group
is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Active > Attached

Determine whether the Security Group is active, based on whether it is attached to any other resource types.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Security Group > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActiveAttached
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if attached",
  "Force active if attached",
  "Force inactive if unattached"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if attached",
    "Force active if attached",
    "Force inactive if unattached"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Active > Last Modified

The number of days since the AWS VPC security group
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Security Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Approved

Determine the action to take when an AWS VPC security group is not approved based on AWS > VPC > Security Group > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Approved > Custom

Determine whether the AWS VPC security group is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC security group is not approved, it will be subject to the action specified in the AWS > VPC > Security Group > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Approved > Regions

A list of AWS regions in which AWS VPC security groups are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC security group is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Security Group > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Security Group > Approved > Usage

Determine whether the AWS VPC security group is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC security group is not approved, it will be subject to the action specified in the AWS > VPC > Security Group > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Security Group > CMDB

Configure whether to record and synchronize details for the AWS VPC security group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Security Group > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Security Group > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Security Group > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Security Group > Egress Rules

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRules
Category
Parent
Targets

AWS > VPC > Security Group > Egress Rules > Approved

Configure Security Group Egress Rule checking. This policy defines whether
to verify the security group egress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved rules will be
revoked from the security group.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Egress Rules > Approved > CIDR Ranges

Custom Security Group egress rules may only be added within the specified
CIDR address ranges. Acceptable values are valid CIDR blocks. If this list
is empty, no CIDR address ranges are permitted.

Applies to non-Turbot managed Security Groups.

Examples:
- 10.0.0.0/8
- 172.16.0.0/12
- ::/0
- 2600:1f18:2368:f300::/56
- 2001:db8:1234:1a00:3304:8879:34cf:4071

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedCidrRanges
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "anyOf": [
      {
        "description": "An IPv4 CIDR block.",
        "type": "string",
        "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$",
        "tests": [
          {
            "description": "all zero octects and prefix.",
            "input": "0.0.0.0/0"
          },
          {
            "description": "invalid - missing first octect",
            "input": "0.0.0/0",
            "expected": false
          },
          {
            "description": "invalid - missing prefix",
            "input": "0.0.0.0/",
            "expected": false
          },
          {
            "description": "invalid - prefix too many digits",
            "input": "0.0.0.0/123",
            "expected": false
          },
          {
            "description": "invalid - octect too many digits",
            "input": "1234.0.0.0/0",
            "expected": false
          }
        ],
        ".turbot": {
          "uri": "tmod:@turbot/aws#/definitions/cidrBlock",
          "modUri": "tmod:@turbot/aws"
        }
      },
      {
        "type": "string",
        "pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$",
        "tests": [
          {
            "input": "::/0"
          },
          {
            "input": "2600:1f18:2368:f300::/56"
          },
          {
            "input": "2001:db8:1234:1a00:3304:8879:34cf:4071"
          },
          {
            "description": "invalid - ipv4 provided",
            "input": "10.0.0.1/8",
            "expected": false
          }
        ],
        ".turbot": {
          "uri": "tmod:@turbot/aws#/definitions/ipv6CidrBlock",
          "modUri": "tmod:@turbot/aws"
        }
      }
    ]
  },
  "default": [
    "0.0.0.0/0",
    "::/0"
  ]
}

AWS > VPC > Security Group > Egress Rules > Approved > Compiled Rules

A read-only Object Control List
(OCL) with a list of compiled
filter rules to approve or reject security group rules.

This policy is generated by Turbot.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedCompiledRules
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > VPC > Security Group > Egress Rules > Approved > Maximum Port Range

The maximum number of ports that may be opened by any single egress rule
in a security group.

Examples:
- 1 - Allow a single port only (e.g. 8080)
- 4 - Allow up to 4 ports (e.g. 8080-8083)
- -1 - Allow unlimited number of ports, including -1 for all.

Applies to non-Turbot managed Security Groups.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedMaximumPortRange
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": -1,
  "maximum": 65535,
  "default": -1
}

AWS > VPC > Security Group > Egress Rules > Approved > Minimum Bitmask

Defines the smallest allowed bitmask (largest range of IP addresses) that
can be granted access in any single custom security group egress rule.

Examples:
- IPv4
- 32 - Restrict rules to a single IP address
- 24 - Restrict rules to a /24 CIDR block
- 0 - Unlimited size
- IPv6
- 256 - Restrict rules to a single IP address
- 32 - Restrict rules to a /32 CIDR block

Applies to non-Turbot managed Security Groups.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedMinimumBitmask
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "maximum": 256,
  "default": 0
}

AWS > VPC > Security Group > Egress Rules > Approved > Prohibited Ports

A YAML list of ports that are prohibited and may not be used for egress
in custom security groups. For example, 21 might be prohibited to prevent
the use of FTP. This list is also applied to ICMP rules, so should be
checked against valid ICMP numbers.

Applies to non-Turbot managed Security Groups.

Examples:
- 21 # FTP
- 25 # SMTP

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedProhibitedPorts
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "integer"
  },
  "default": []
}

AWS > VPC > Security Group > Egress Rules > Approved > Rules

An Object Control List (OCL)
with a list of filter rules to approve or reject security group rules.

Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules. The rules are processed in order,
and any built-in Turbot rules will appear first in the list of compiled
rules.

Examples:
<br /> Allow HTTP and HTTPS rules for RFC1918 private space<br /> APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /> APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Allow all rules from security groups in this account<br /> APPROVE $.UserIdGroupPairs.+.UserId:&quot;969297701313&quot;<br /><br /> Reject any rule from 0.0.0.0/0<br /> REJECT $.turbot.cidr:0.0.0.0/0<br />

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupEgressRulesApprovedRules
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "# Approve unmatched rules\nAPPROVE *",
  "x-schema-form": {
    "type": "textarea"
  }
}

AWS > VPC > Security Group > Ingress Rules

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRules
Category
Parent
Targets

AWS > VPC > Security Group > Ingress Rules > Approved

Configure Security Group Ingress Rule checking. This policy defines whether
to verify the security group ingress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved rules will be
revoked from the security group.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Ingress Rules > Approved > CIDR Ranges

Custom Security Group ingress rules may only be added within the specified
CIDR address ranges. Acceptable values are valid CIDR blocks. If this list
is empty, no CIDR address ranges are permitted.

Applies to non-Turbot managed Security Groups.

Examples:
- 10.0.0.0/8
- 172.16.0.0/12

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedCidrRanges
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "anyOf": [
      {
        "description": "An IPv4 CIDR block.",
        "type": "string",
        "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$",
        "tests": [
          {
            "description": "all zero octects and prefix.",
            "input": "0.0.0.0/0"
          },
          {
            "description": "invalid - missing first octect",
            "input": "0.0.0/0",
            "expected": false
          },
          {
            "description": "invalid - missing prefix",
            "input": "0.0.0.0/",
            "expected": false
          },
          {
            "description": "invalid - prefix too many digits",
            "input": "0.0.0.0/123",
            "expected": false
          },
          {
            "description": "invalid - octect too many digits",
            "input": "1234.0.0.0/0",
            "expected": false
          }
        ],
        ".turbot": {
          "uri": "tmod:@turbot/aws#/definitions/cidrBlock",
          "modUri": "tmod:@turbot/aws"
        }
      },
      {
        "type": "string",
        "pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$",
        "tests": [
          {
            "input": "::/0"
          },
          {
            "input": "2600:1f18:2368:f300::/56"
          },
          {
            "input": "2001:db8:1234:1a00:3304:8879:34cf:4071"
          },
          {
            "description": "invalid - ipv4 provided",
            "input": "10.0.0.1/8",
            "expected": false
          }
        ],
        ".turbot": {
          "uri": "tmod:@turbot/aws#/definitions/ipv6CidrBlock",
          "modUri": "tmod:@turbot/aws"
        }
      }
    ]
  },
  "default": [
    "0.0.0.0/0",
    "::/0"
  ]
}

AWS > VPC > Security Group > Ingress Rules > Approved > Compiled Rules

A read-only Object Control List
(OCL) with a list of compiled
filter rules to approve or reject security group rules.

This policy is generated by Turbot.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedCompiledRules
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > VPC > Security Group > Ingress Rules > Approved > Maximum Port Range

The maximum number of ports that may be opened by any single ingress rule
in a security group.

Examples:
1 - Allow a single port only (e.g. 8080)
4 - Allow up to 4 ports (e.g. 8080-8083)
-1 - Allow unlimited number of ports, including -1 for all.

Applies to non-Turbot managed Security Groups.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedMaximumPortRange
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": -1,
  "maximum": 65535,
  "default": -1
}

AWS > VPC > Security Group > Ingress Rules > Approved > Minimum Bitmask

Defines the smallest allowed bitmask (largest range of IP addresses) that
can be granted access in any single custom security group ingress rule.

Examples:
- IPv4
- 32 - Restrict rules to a single IP address
- 24 - Restrict rules to a /24 CIDR block
- 0 - Unlimited size
- IPv6
- 256 - Restrict rules to a single IP address
- 32 - Restrict rules to a /32 CIDR block

Applies to non-Turbot managed Security Groups.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedMinimumBitmask
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "maximum": 256,
  "default": 0
}

AWS > VPC > Security Group > Ingress Rules > Approved > Prohibited Ports

A YAML list of ports that are prohibited and may not be used for ingress
in custom security groups. For example, 21 might be prohibited to prevent
the use of FTP. This list is also applied to ICMP rules, so should be
checked against valid ICMP numbers.

Applies to non-Turbot managed Security Groups.

Examples:
- 21 # FTP
- 25 # SMTP

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedProhibitedPorts
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "integer"
  },
  "default": []
}

AWS > VPC > Security Group > Ingress Rules > Approved > Rules

An Object Control List (OCL)
with a list of filter rules to approve or reject security group rules.

Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules. The rules are processed in order,
and any built-in Turbot rules will appear first in the list of compiled
rules.

Examples:
<br /> Allow HTTP and HTTPS rules for RFC1918 private space<br /> APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /> APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Allow all rules from security groups in this account<br /> APPROVE $.UserIdGroupPairs.+.UserId:&quot;969297701313&quot;<br /><br /> Reject any rule from 0.0.0.0/0<br /> REJECT $.turbot.cidr:0.0.0.0/0<br />

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "# Approve unmatched rules\nAPPROVE *",
  "x-schema-form": {
    "type": "textarea"
  }
}

AWS > VPC > Security Group > Regions

A list of AWS regions in which AWS VPC security groups are supported for use.

Any security groups in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Security Group > Tags

Determine the action to take when an AWS VPC security group tags are not updated based on the AWS > VPC > Security Group > Tags > * policies.

The control ensure AWS VPC security group tags include tags defined in AWS > VPC > Security Group > Tags > Template.

Tags not defined in Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Tags > Template

The template is used to generate the keys and values for AWS VPC security group.

Tags not defined in Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Security Group > Usage

Configure the number of AWS security groups that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Security Group > Usage policy.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 2500
}

AWS > VPC > Security Group Rule > CMDB

Configure whether to record and synchronize details for the AWS VPC security group rules into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Security Group Rule > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Security Group Rule > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Security Group Rule > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Security Group Rule > Tags

Determine the action to take when an AWS VPC security group rule tags are not updated based on the AWS > VPC > Security Group Rule > Tags > * policies.

The control ensure AWS VPC security group rule tags include tags defined in AWS > VPC > Security Group Rule > Tags > Template.

Tags not defined in Security Group Rule Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Security Group Rule > Tags > Template

The template is used to generate the keys and values for AWS VPC security group rule.

Tags not defined in Security Group Rule Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-security#/policy/types/securityGroupRuleTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema