Policy types for @turbot/aws
- AWS > Account > Approved Regions [Default]
- AWS > Account > Budget > Enabled
- AWS > Account > Budget > State
- AWS > Account > Budget > Target
- AWS > Account > CMDB
- AWS > Account > Partition
- AWS > Account > Regions
- AWS > Account > Stack
- AWS > Account > Stack > Secret Variables
- AWS > Account > Stack > Source
- AWS > Account > Stack > Terraform Version
- AWS > Account > Stack > Variables
- AWS > Account > Tags Template [Default]
- AWS > Account > Trusted Accounts [Default]
- AWS > Account > Trusted Identity Providers [Default]
- AWS > Account > Trusted Organizations [Default]
- AWS > Account > Trusted Services [Default]
- AWS > Account > Turbot IAM Access Key ID
- AWS > Account > Turbot IAM Credential Type
- AWS > Account > Turbot IAM Role
- AWS > Account > Turbot IAM Role > Assume Role Timeout
- AWS > Account > Turbot IAM Role > External ID
- AWS > Account > Turbot IAM Role > External ID > Protection
- AWS > Account > Turbot IAM Secret Access Key
- AWS > Region > Discovery
- AWS > Region > Discovery > Connection Region
- AWS > Region > Logging Bucket [Default]
- AWS > Region > Stack
- AWS > Region > Stack > Secret Variables
- AWS > Region > Stack > Source
- AWS > Region > Stack > Terraform Version
- AWS > Region > Stack > Variables
- AWS > Turbot
- AWS > Turbot > Audit Trail
- AWS > Turbot > Audit Trail > CloudTrail
- AWS > Turbot > Audit Trail > CloudTrail > Trail
- AWS > Turbot > Audit Trail > CloudTrail > Trail > CloudWatch Role
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Enabled
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Event Selectors
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Global Region
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Include Global Service Events
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Log File Validation
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Name
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Name Prefix
- AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket
- AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Key Prefix
- AWS > Turbot > Audit Trail > CloudTrail > Trail > SNS Topic
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Tags
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Type
- AWS > Turbot > Audit Trail > Source
- AWS > Turbot > Audit Trail > Terraform Version
- AWS > Turbot > Event Handlers
- AWS > Turbot > Event Handlers > Events
- AWS > Turbot > Event Handlers > Events > Rules
- AWS > Turbot > Event Handlers > Events > Rules > Account Filter
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > Billing Console
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources
- AWS > Turbot > Event Handlers > Events > Rules > Name Prefix
- AWS > Turbot > Event Handlers > Events > Rules > Tags
- AWS > Turbot > Event Handlers > SNS
- AWS > Turbot > Event Handlers > SNS > Topic
- AWS > Turbot > Event Handlers > SNS > Topic > Customer Managed Key
- AWS > Turbot > Event Handlers > SNS > Topic > Name Prefix
- AWS > Turbot > Event Handlers > SNS > Topic > Tags
- AWS > Turbot > Event Handlers > Source
- AWS > Turbot > Event Handlers > Terraform Version
- AWS > Turbot > Event Handlers [Global]
- AWS > Turbot > Event Handlers [Global] > Events
- AWS > Turbot > Event Handlers [Global] > Events > Rules
- AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix
- AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags
- AWS > Turbot > Event Handlers [Global] > Events > Target
- AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN
- AWS > Turbot > Event Handlers [Global] > Primary Region
- AWS > Turbot > Event Handlers [Global] > SNS
- AWS > Turbot > Event Handlers [Global] > SNS > Topic
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags
- AWS > Turbot > Event Handlers [Global] > Source
- AWS > Turbot > Event Handlers [Global] > Terraform Version
- AWS > Turbot > Event Poller
- AWS > Turbot > Event Poller > Excluded Events
- AWS > Turbot > Event Poller > Interval
- AWS > Turbot > Event Poller > Window
- AWS > Turbot > Logging
- AWS > Turbot > Logging > Bucket
- AWS > Turbot > Logging > Bucket > Access Logging
- AWS > Turbot > Logging > Bucket > Access Logging > Bucket
- AWS > Turbot > Logging > Bucket > Access Logging > Bucket > Key Prefix
- AWS > Turbot > Logging > Bucket > Default Encryption
- AWS > Turbot > Logging > Bucket > Encryption in Transit
- AWS > Turbot > Logging > Bucket > Name
- AWS > Turbot > Logging > Bucket > Name > Prefix
- AWS > Turbot > Logging > Bucket > Regions
- AWS > Turbot > Logging > Bucket > Source
- AWS > Turbot > Logging > Bucket > Tags
- AWS > Turbot > Logging > Bucket > Versioning
- AWS > Turbot > Logging > Terraform Version
- AWS > Turbot > Service Roles
- AWS > Turbot > Service Roles > Configuration Recording
- AWS > Turbot > Service Roles > Configuration Recording > Name
- AWS > Turbot > Service Roles > Default EC2 Instance
- AWS > Turbot > Service Roles > Default EC2 Instance > Name
- AWS > Turbot > Service Roles > Default EC2 Instance > SSM Permissions
- AWS > Turbot > Service Roles > Event Handlers [Global]
- AWS > Turbot > Service Roles > Event Handlers [Global] > Name
- AWS > Turbot > Service Roles > Flow Logging
- AWS > Turbot > Service Roles > Flow Logging > Name
- AWS > Turbot > Service Roles > Name Path
- AWS > Turbot > Service Roles > Name Prefix
- AWS > Turbot > Service Roles > SSM Notifications
- AWS > Turbot > Service Roles > SSM Notifications > Name
- AWS > Turbot > Service Roles > Source
- AWS > Turbot > Service Roles > Terraform Version
AWS > Account > Approved Regions [Default]
A list of AWS regions in which resources are approved for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all AWS services' Approved Regions
policies.
This policy is also used as the default value for AWS > Turbot > Logging ><br />Bucket > Regions
, which determines in which regions to create Guardrails S3
logging buckets.
tmod:@turbot/aws#/policy/types/approvedRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/regionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > Account > Budget > Enabled
Determine whether budget reporting is enabled for the AWS Account.
If enabled, the Budget control will gather cost data
from the cloud provider, and will alarm if the
Budget > State reaches the configured threshold.
tmod:@turbot/aws#/policy/types/accountBudgetEnabled
[ "Skip", "Check: Budget > State is On Target or below"]
{ "type": "string", "enum": [ "Skip", "Check: Budget > State is On Target or below" ], "example": [ "Skip" ], "default": "Skip"}
AWS > Account > Budget > State
The current state of the budget, based on the Current Spend,
Forecast Spend, and Thresholds
Note: The default (calculated) value is usually appropriate, however
you can override the Guardrails behavior by setting this policy (either
via calculated policy or immediate value). DON'T CHANGE THIS UNLESS
YOU KNOW WHAT YOU"RE DOING!
tmod:@turbot/aws#/policy/types/accountBudgetState
[ "{\n item: account {\n turbot {\n id\n }\n }\n}\n", "{\n target: policy(uri: \"#/policy/types/accountBudgetLimit\")\n budgetEnabled: policy(uri: \"#/policy/types/accountBudgetEnabled\")\n budgetData: resources(filter: \"resourceTypeId:'tmod:@turbot/aws#/resource/types/budget' resourceId:{{ $.item.turbot.id }}\") {\n items{\n currentMonthActualSpend: get(path:\"currentMonthActualSpend\")\n currentMonthForecastSpend: get(path:\"currentMonthForecastSpend\")\n lastUpdatedTime: get(path:\"lastUpdatedTime\")\n metadata\n }\n }\n}\n"]
"'{%- if $.budgetEnabled == "Skip" -%}\n Unknown\n {%- elif $.budgetData.items[0].metadata.budgetUpdatedSince >= 23 or $.budgetData.items[0].currentMonthForecastSpend === "" or $.budgetData.items[0].currentMonthActualSpend === "" or $.target === -1 -%}\n Unknown\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 5 * $.target or $.budgetData.items[0].currentMonthActualSpend >= 3 * $.target -%}\n Shutdown\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 3 * $.target or $.budgetData.items[0].currentMonthActualSpend >= 2 * $.target -%}\n Critical\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 1.25 * $.target or $.budgetData.items[0].currentMonthActualSpend > 1 * $.target -%}\n Over\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 0.5 * $.target -%}\n On target\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 0.1 * $.target -%}\n Under\n {%- else -%}\n Unused\n {%- endif -%}'\n"
{ "type": "string", "enum": [ "Unknown", "Unused", "Under", "On target", "Over", "Critical", "Shutdown" ]}
AWS > Account > Budget > Target
The budget target for this AWS Account, in US Dollars. The Budget > state is calculated
by comparing this target to the Current Spend and Forecast Spend.
Note: You must change this value from the default in order to enforce budget actions
tmod:@turbot/aws#/policy/types/accountBudgetLimit
{ "type": "number", "default": -1}
AWS > Account > CMDB
Configure whether to record and synchronize details for the AWS account into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws#/policy/types/accountCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > Account > Partition
The AWS partition for this account. By default, Guardrails will determine the
partition by parsing the AWS > Account > Guardrails IAM Role, though you can
override this behavior if required.
For standard AWS regions, the partition is aws. For resources in the AWS GovCloud
(US-West) region is aws-us-gov.
Note: The default (calculated) value is usually appropriate, however
you can override the Guardrails behavior by setting this policy (either
via calculated policy or immediate value). DON'T CHANGE THIS UNLESS
YOU KNOW WHAT YOU"RE DOING!
tmod:@turbot/aws#/policy/types/partition
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n iamRole: policy(uri:\"#/policy/types/turbotIamRole\" resourceId:\"{{ $.account.turbot.id }}\")\n}\n"]
"{% if $.iamRole %}{{ $.iamRole.split(':')[1] }}{% else %}{% endif %}"
AWS > Account > Regions
A list of AWS regions in which resources are recorded.
The expected format is an array of regions names.
This policy is the default value for all AWS services' Regions
policies.
tmod:@turbot/aws#/policy/types/regionsDefault
{ "type": "array", "default": [ "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2", "us-gov-east-1", "us-gov-west-1", "cn-north-1", "cn-northwest-1" ], "items": { "type": "string", "pattern": "^[a-z0-9-]+$" }}
AWS > Account > Stack
Configure a custom stack on AWS, per the custom Stack > Source
.
A Guardrails Stack
is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/accountStack
[ "Skip", "Check: Configured", "Enforce: Configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Enforce: Configured" ], "default": "Skip"}
AWS > Account > Stack > Secret Variables
Terraform secret variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/accountStackSecretVariables
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Account > Stack > Source
The Terraform HCL source used to configure this stack.
A Guardrails Stack
is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/accountStackSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Account > Stack > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/accountStackTerraformVersion
"{\n terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n"
"{% if $.terraformVersion %}"{{$.terraformVersion}}"{% else %}""{% endif %}"
{ "type": "string"}
AWS > Account > Stack > Variables
Terraform variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/accountStackVariables
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Account > Tags Template [Default]
A template used to generate the keys and values for AWS
resources. By default, all AWS service Tags Template [Default]
policies will use this value.
tmod:@turbot/aws#/policy/types/defaultTagsTemplate
"{\n defaultTags: resource {\n tags(resolution: RECOMMENDED)\n }\n}\n"
"{%- if $.defaultTags.tags | length == 0 %} [] {%- elif $.defaultTags.tags != undefined %}{{ $.defaultTags.tags | dump | safe }}{% endif %}"
AWS > Account > Trusted Accounts [Default]
A list of AWS Account IDs that users may share resources with.
The expected format is an array of account IDs.
This policy is the default value for all AWS services' Trusted Accounts
policies.<br />example:<br /> - "013122550996"<br /> - "560741234067"<br />
tmod:@turbot/aws#/policy/types/trustedAccounts
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "(?:^[0-9]{12}$|^\\*$)" }}
AWS > Account > Trusted Identity Providers [Default]
A list of AWS federation principals that users may share resources with.
The expected format is an array of identity providers.
This policy is the default value for all AWS services' Trusted Identity Providers
policies.<br />example:<br /> - www.google.com<br /> - www.facebook.com<br />
tmod:@turbot/aws#/policy/types/trustedIdentityProviders
{ "type": "array", "default": [ "*" ], "items": { "type": "string" }}
AWS > Account > Trusted Organizations [Default]
A list of AWS Organization IDs that users may share resources with.
The expected format is an array of organization IDs.
This policy is the default value for all AWS services' Trusted Organizations
policies.<br />example:<br /> - "o-333333333"<br /> - "o-c3a5y4wd52"<br />
tmod:@turbot/aws#/policy/types/trustedOrganizations
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)" }}
AWS > Account > Trusted Services [Default]
A list of AWS service principals that users may share resources with.
The expected format is an array of services.
This policy is the default value for all AWS services' Trusted Services
policies.<br />example:<br /> - sns.amazonaws.com<br /> - ec2.amazonaws.com<br />
tmod:@turbot/aws#/policy/types/trustedServices
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)" }}
AWS > Account > Turbot IAM Access Key ID
IAM access key ID used by Guardrails for access to the AWS account.
tmod:@turbot/aws#/policy/types/turbotIamAccessKeyId
{ "type": "string", "pattern": "^A[KS]IA[A-Z0-9]{16}$"}
AWS > Account > Turbot IAM Credential Type
IAM credential type that Guardrails will use for access to the AWS account. Guardrails recommends setting this policy value to 'Role'.
tmod:@turbot/aws#/policy/types/turbotIamCredentialType
[ "Role", "Access key pair"]
{ "type": "string", "enum": [ "Role", "Access key pair" ], "default": "Role"}
AWS > Account > Turbot IAM Role
IAM Role used by Guardrails for access to the AWS account.
tmod:@turbot/aws#/policy/types/turbotIamRole
{ "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:iam::[0-9]{12}:role(/[A-Za-z0-9.,+@=_-]+)*/[A-Za-z0-9+=,.@_-]{1,64}$"}
AWS > Account > Turbot IAM Role > Assume Role Timeout
The timeout in minutes used when Guardrails assumes IAM roles in AWS accounts
for background tasks.
tmod:@turbot/aws#/policy/types/turbotIamRoleAssumeRoleTimeout
{ "type": "integer", "minimum": 15, "maximum": 60, "default": 60}
AWS > Account > Turbot IAM Role > External ID
External ID for secure access to the Guardrails IAM Role
tmod:@turbot/aws#/policy/types/turbotIamRoleExternalId
{ "type": "string", "minLength": 1}
AWS > Account > Turbot IAM Role > External ID > Protection
When generating credentials for the AWS account, check if the role's external ID is in the protected format, e.g., turbot:123456789012345:foo
, and if it is, check if the guardrails resource ID is for the workspace's guardrails resource. If the guardrails resource ID does not match, credentials will not be generated.
If set to Protected
, the external ID must be in the protected format for credentials to be generated.
tmod:@turbot/aws#/policy/types/turbotIamRoleExternalIdProtection
[ "Open", "Protected"]
{ "type": "string", "enum": [ "Open", "Protected" ], "default": "Open"}
AWS > Account > Turbot IAM Secret Access Key
IAM secret access key used by Guardrails for access to the AWS account.
tmod:@turbot/aws#/policy/types/turbotIamSecretAccessKey
{ "type": "string", "pattern": "^[A-z0-9/+=]{40}$"}
AWS > Region > Discovery
AWS > Region > Discovery > Connection Region
Configure the connection region which would be used to discover regions in an AWS > Account
.
tmod:@turbot/aws#/policy/types/connectionRegion
"{\n partition: policy(uri:\"tmod:@turbot/aws#/policy/types/partition\")\n}\n"
"{% if $.partition === "aws-cn" %}"cn-north-1"{% elif $.partition === "aws-us-gov" %}"us-gov-west-1"{% else %}"us-east-1"{% endif %}"
{ "type": "string", "pattern": "^[a-z0-9-]+$"}
AWS > Region > Logging Bucket [Default]
Specifies an S3 bucket to be used as the default logging
destination in this region.
This policy is referenced by other policy to provide a single
configurable logging destination across services.
tmod:@turbot/aws#/policy/types/loggingBucketDefault
[ "{\n region {\n turbot {\n id\n }\n }\n}\n", "{\n bucketName: policy(uri:\"#/policy/types/loggingBucketName\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"]
"{{ $.bucketName }}"
{ "type": "string"}
AWS > Region > Stack
Configure a custom stack on AWS, per the custom Stack > Source
.
A Guardrails Stack
is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/regionStack
[ "Skip", "Check: Configured", "Enforce: Configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Enforce: Configured" ], "default": "Skip"}
AWS > Region > Stack > Secret Variables
Terraform secret variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/regionStackSecretVariables
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Region > Stack > Source
The Terraform HCL source used to configure this stack.
A Guardrails Stack
is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/regionStackSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Region > Stack > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/regionStackTerraformVersion
"{\n terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n"
"{% if $.terraformVersion %}"{{$.terraformVersion}}"{% else %}""{% endif %}"
{ "type": "string"}
AWS > Region > Stack > Variables
Terraform variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/regionStackVariables
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Turbot
AWS > Turbot > Audit Trail
Configure the Turbot CloudTrail stack.
The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.
tmod:@turbot/aws#/policy/types/auditTrail
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}
AWS > Turbot > Audit Trail > CloudTrail
Placeholder
tmod:@turbot/aws#/policy/types/auditTrailCloudTrail
AWS > Turbot > Audit Trail > CloudTrail > Trail
Placeholder
tmod:@turbot/aws#/policy/types/auditTrailTrail
AWS > Turbot > Audit Trail > CloudTrail > Trail > CloudWatch Role
The name of an IAM role that CloudTrail will assume to write logs to CloudWatch logs.
If CloudWatch Log forwarding is enabled, you must also specify a role that CloudTrail
can assume to write the logs. This role must have logs:CreateLogStream and logs:PutLogEvents
for the CloudWatch Log Group, and must allow the CloudTrail Service (cloudtrail.amazonaws.com)
the ability to assume the role
The role must already exist - the stack wont create it
tmod:@turbot/aws#/policy/types/trailCloudWatchRole
{ "type": "string", "default": ""}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Enabled
The desired state of the CloudTrail. When disabled, a CloudTrail does not log
any events
The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.
tmod:@turbot/aws#/policy/types/trailEnabled
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key
The KMS key ID that encrypts the logs delivered by CloudTrail. The value is a
fully specified ARN to a KMS key in the format:
arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
If a key is specified in this policy, SSE-KMS encryption will be enabled with this key. If the Encryption Key
policy is blank, the default (SSE-S3) encryption will be used.
The key will not be created in this stack - it must already exist and CloudTrail
must have the correct permissions to use the key. Guardrails will not modify the key policy.
tmod:@turbot/aws#/policy/types/trailEncryptionKey
{ "type": "string", "default": ""}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Event Selectors
An event selector that specifies which events to log in the Guardrails Trail. If
no event selector is specified, the trail will log all read and write
management events, and no data events
The Event Selectors
policy allows you to specify up to 5 CloudTrail event selectors
to further specify the management and S3 and/or lambda data event settings for the trail.
By default, trails created without specific event selectors will be configured to log
all read and write management events, and no data events
The format of this policy is the native terraform hcl for event selectors
tmod:@turbot/aws#/policy/types/trailEventSelectors
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }, "default": ""}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Global Region
The region in that will host the Guardrails Trail when configured to use a
multi-region trail.
The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.
tmod:@turbot/aws#/policy/types/trailGlobalRegion
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n partitionPolicy: policy(uri:\"#/policy/types/partition\" resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]
"{% if $.partitionPolicy == 'aws' %}us-east-1{% else %}us-gov-west-1{% endif %}"
AWS > Turbot > Audit Trail > CloudTrail > Trail > Include Global Service Events
Determine whether or not events from global services (such as IAM, STS, CloudFront, and Route 53) are logged to the Guardrails trail.
If you have multiple single region trails, consider configuring your trails so that global service events are delivered in only one of the trails.
tmod:@turbot/aws#/policy/types/trailIncludeGlobalServiceEvents
[ "Enabled: Include Global Service Events", "Disabled: Do not include Global Service Events"]
{ "type": "string", "enum": [ "Enabled: Include Global Service Events", "Disabled: Do not include Global Service Events" ], "default": "Enabled: Include Global Service Events"}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Log File Validation
Determine whether or not log file integrity validation is enabled for
the Guardrails trail.
Enable CloudTrail log file integrity validation to determine whether a log file was
modified, deleted, or unchanged after CloudTrail delivered it.
tmod:@turbot/aws#/policy/types/trailLogFileValidation
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Name
A policy that displays the calculated Guardrails CloudTrail name for
this region.
This stack configures a CloudTrail for use of auditing API calls.
tmod:@turbot/aws#/policy/types/trailName
{ "type": "string"}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Name Prefix
A string to be used as a prefix to the Guardrails generated name for the Guardrails
managed CloudTrail. The name will be pre-pended with this value.
The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.
Note that this policy is ignored if the AWS > Turbot > Audit Trail > CloudTrail > Trail > Name
policy has a policy setting defined explicitly.
tmod:@turbot/aws#/policy/types/auditTrailTrailNamePrefix
{ "type": "string", "default": "turbot-", "example": "turbot-"}
AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket
The name of an S3 bucket to which the Guardrails Trail will be delivered.
CloudTrail must write to S3, thus this policy is required. The S3 bucket
must already exist (the stack will not create it) and the CloudTrail
service must be allowed write access. The bucket can reside in any
region of any account.
tmod:@turbot/aws#/policy/types/trailBucket
[ "{\n region {\n turbot {\n id\n }\n }\n}\n", "{\n bucketName: policy(uri:\"#/policy/types/loggingBucketDefault\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"]
"{{ $.bucketName }}"
{ "type": "string"}
AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Key Prefix
An S3 key prefix to which the Guardrails Trail will be written.
tmod:@turbot/aws#/policy/types/trailKeyPrefix
{ "type": "string", "default": ""}
AWS > Turbot > Audit Trail > CloudTrail > Trail > SNS Topic
An SNS Topic ARN to which to send notifications when CloudTrail publishes logs. If no topic is specified (the SNS Topic
policy is blank), then SNS forwarding
will be disabled for the Guardrails Trail.
Note that the SNS topic will not be created in this stack - it must already exist.
The SNS topic policy must allow CloudTrail to publish to the topic - The stack will
not update the policy
tmod:@turbot/aws#/policy/types/trailSnsTopic
{ "type": "string", "default": "", "example": "arn:aws:sns:us-east-2:123456789012:MyTopic"}
AWS > Turbot > Audit Trail > CloudTrail > Trail > Tags
A list of key:value pairs to add as AWS tags onto the Guardrails managed
CloudTrail resource.
The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.
tmod:@turbot/aws#/policy/types/trailTags
AWS > Turbot > Audit Trail > CloudTrail > Trail > Type
The type of CloudTrail deployment to use with Guardrails Audit Trail.
CloudTrail has options for multi-region or single region trails, as well as a new option for
Organization trails (for customers that leverage AWS Organizations). This provides
flexibility in implementation (as well as backwards compatibility - neither multi-region nor
organization trails were options when the service launched).
Note that Guardrails must manage your Organization Master account in order to use an Organization
trail - this can only be configured from the Organization master account.
tmod:@turbot/aws#/policy/types/trailType
[ "A trail in each region of each account", "A multi-region trail in the `Trail > Global Region` in each account"]
{ "type": "string", "enum": [ "A trail in each region of each account", "A multi-region trail in the `Trail > Global Region` in each account" ], "default": "A multi-region trail in the `Trail > Global Region` in each account"}
AWS > Turbot > Audit Trail > Source
The Terraform source used to configure the Guardrails Audit Trail stack.
The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.
This policy is read-only, as the Audit Trail source is generated by Guardrails
tmod:@turbot/aws#/policy/types/auditTrailSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Turbot > Audit Trail > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/auditTrailTerraformVersion
{ "type": "string"}
AWS > Turbot > Event Handlers
Configure the Guardrails AWS Event Handlers stack. This stack configures the Eventbridge and SNS resources required for Guardrails real-time event routing. For more information refer to the AWS Event Handler documentation
Notes:
- The AWS Event Handler control ignores the Turbot > Change Window
policy.
- For proper management of AWS Event Handlers, the aws
, aws-iam
, aws-kms
, aws-events
and aws-sns
mods must be installed. Additional information can be found in the required mods section of the AWS Event Handler docs.
tmod:@turbot/aws#/policy/types/eventHandlers
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}
AWS > Turbot > Event Handlers > Events
tmod:@turbot/aws#/policy/types/eventHandlersEvents
AWS > Turbot > Event Handlers > Events > Rules
tmod:@turbot/aws#/policy/types/eventHandlersEventsRules
AWS > Turbot > Event Handlers > Events > Rules > Account Filter
Configure whether to add the account
filter to the EventBridge Rules created via the AWS > Turbot > Event Handlers
stack. If Enabled, the EventBridge rules will raise events only for the account where the Event Handlers are deployed.
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesAccountFilter
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Disabled"}
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns
The cloudwatch event pattern use by the AWS S3 module to specify which
events to forward to the Guardrails Event Handlers.
This a read-only policy used internally by Guardrails.
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesCustomEventPatterns
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > Billing Console
The CloudWatch Events event pattern used by the AWS module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws#/policy/types/billingconsoleCustomEventPatterns
{ "type": "array", "items": { "type": "object", "properties": { "type": { "type": "object", "properties": { "title": { "type": "string" } } }, "value": { "type": "object", "properties": { "source": { "type": "array", "items": { "type": "string" } }, "detail-type": { "type": "array", "items": { "type": "string" } }, "detail": { "type": "object", "property": { "eventName": { "type": "array" } }, "required": [ "eventName" ] } }, "required": [ "source" ] } }, "required": [ "type" ] }, "default": [ { "type": { "title": "Billing Console", "name": "billingconsole" }, "value": { "source": [ "aws.billingconsole" ], "detail-type": [ "AWS Console Action via CloudTrail" ], "detail": { "eventName": [ "DisableRegion", "EnableRegion", "SetAdditionalContacts" ] } } } ]}
AWS > Turbot > Event Handlers > Events > Rules > Event Sources
The Terraform source used to configure the Guardrails Event Handlers stack.
This stack configures AWS CloudWatch Events rules and targets, and SNS
topics and subscriptions to enable real-time event handling in an AWS
region.
This policy is read-only, as source is generated by Guardrails.
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesEventSources
{ "type": "array", "items": { "type": "string" }}
AWS > Turbot > Event Handlers > Events > Rules > Name Prefix
A string to be used as a prefix to the guardrails generated name on the
Guardrails Event Handlers Cloudwatch Events rules. The names will be
pre-pended with this value.
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesNamePrefix
{ "type": "string", "default": "turbot_", "example": "turbot_"}
AWS > Turbot > Event Handlers > Events > Rules > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers Events rules.
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesTags
AWS > Turbot > Event Handlers > SNS
tmod:@turbot/aws#/policy/types/eventHandlersSns
AWS > Turbot > Event Handlers > SNS > Topic
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopic
AWS > Turbot > Event Handlers > SNS > Topic > Customer Managed Key
A Customer Managed KMS key used for server side encryption of the SNS
topic used created for the AWS Event Handlers.
If no key is specified, server side encryption will not be enabled.
If the specified key does not exist in AWS or is improperly specified in the policy,
the SNS topic will silently stop working and halt event handling for the
region. Resolve by picking an existing key or removing this policy.
Note that the key will not be created in this stack - it must already
exist. The key policy must grant the kms:GenerateDataKey* and kms:Decrypt
permissions to Amazon CloudWatch Events (events.amazonaws.com). The Guardrails
user must also have permissions to decrypt messages with this CMK.
See https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey
{ "type": "string", "default": ""}
AWS > Turbot > Event Handlers > SNS > Topic > Name Prefix
A string to be used as a prefix to the guardrails generated name on the
Guardrails Event Handlers SNS topic. The name will be
pre-pended with this value.
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicNamePrefix
{ "type": "string", "default": "turbot_", "example": "turbot_"}
AWS > Turbot > Event Handlers > SNS > Topic > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers SNS topic.
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicTags
AWS > Turbot > Event Handlers > Source
The Terraform source used to configure the Event Handlers stack.
This policy is read-only, as the Event Handlers source is generated by Guardrails
tmod:@turbot/aws#/policy/types/eventHandlersSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "json" }}
AWS > Turbot > Event Handlers > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/eventHandlersTerraformVersion
{ "type": "string"}
AWS > Turbot > Event Handlers [Global]
Configure the Guardrails AWS Event Handlers [Global] stack. This stack configures the Eventbridge and SNS resources required for Guardrails real-time event routing.
Notes:
- The AWS Event Handler control ignores the Turbot > Change Window
policy.
- For proper management of AWS Event Handlers [Global], the aws
, aws-iam
, aws-kms
, aws-events
and aws-sns
mods must be installed. Additional information can be found in the required mods section of the AWS Event Handler docs.
tmod:@turbot/aws#/policy/types/eventHandlersGlobal
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}
AWS > Turbot > Event Handlers [Global] > Events
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEvents
AWS > Turbot > Event Handlers [Global] > Events > Rules
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsRules
AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix
A string to be used as a prefix to the Guardrails generated name on the
Guardrails Event Handlers [Global] Cloudwatch Events rules. The names will be
pre-pended with this value.
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsRulesNamePrefix
{ "type": "string", "default": "turbot_", "example": "turbot_"}
AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers [Global] Events rules.
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsRulesTags
AWS > Turbot > Event Handlers [Global] > Events > Target
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsTarget
AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN
The IAM Role used to forward events from the non-primary regions to the AWS > Turbot > Event Handlers [Global] > Primary Region
. By default, this policy is set via the AWS > Turbot > Service Roles > Event Handlers [Global]
policy, but can be overwritten if needed.
The below permissions are needed at minimum to allow the Role to forward events to the Primary Region correctly.<br />{<br /> "Statement": [<br /> {<br /> "Action": [<br /> "events:PutEvents"<br /> ],<br /> "Effect": "Allow",<br /> "Resource": "arn:<partition>:events:<region>:<accountId>:event-bus/default"<br /> }<br /> ],<br /> "Version": "2012-10-17"<br />}<br />
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsTargetIamRoleArn
{ "type": "string"}
AWS > Turbot > Event Handlers [Global] > Primary Region
The primary region for the AWS > Turbot > Event Handlers [Global]
stack. All EventBridge and SNS resources required for real-time event routing will be deployed in this region.
tmod:@turbot/aws#/policy/types/eventHandlersGlobalPrimaryRegion
"{\n partition: policy(uri:\"tmod:@turbot/aws#/policy/types/partition\")\n}\n"
"{% if $.partition === "aws-cn" %}"cn-north-1"{% elif $.partition === "aws-us-gov" %}"us-gov-west-1"{% else %}"us-east-1"{% endif %}"
{ "type": "string"}
AWS > Turbot > Event Handlers [Global] > SNS
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSns
AWS > Turbot > Event Handlers [Global] > SNS > Topic
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopic
AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key
A Customer Managed KMS key used for server side encryption of the SNS
topic used created for the AWS Event Handlers [Global].
If no key is specified, server side encryption will not be enabled.
If the specified key does not exist in AWS or is improperly specified in the policy,
the SNS topic will silently stop working and halt event handling for the
region. Resolve by picking an existing key or removing this policy.
Note that the key will not be created in this stack - it must already
exist. The key policy must grant the kms:GenerateDataKey* and kms:Decrypt
permissions to Amazon CloudWatch Events (events.amazonaws.com). The Guardrails
user must also have permissions to decrypt messages with this CMK.
See https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopicCustomerManagedKey
{ "type": "string", "default": ""}
AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix
A string to be used as a prefix to the Guardrails generated name on the
Guardrails Event Handlers [Global] SNS topic. The name will be
pre-pended with this value.
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopicNamePrefix
{ "type": "string", "default": "turbot_", "example": "turbot_"}
AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers [Global] SNS topic.
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopicTags
AWS > Turbot > Event Handlers [Global] > Source
The Terraform source used to configure the Event Handlers [Global] stack.
This policy is read-only, as the Event Handlers [Global] source is generated by Guardrails.
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "json" }}
AWS > Turbot > Event Handlers [Global] > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/eventHandlersGlobalTerraformVersion
{ "type": "string"}
AWS > Turbot > Event Poller
Configure the AWS Event Poller. When set to Enabled
, the poller will run at the interval specified to retrieve the latest events and forward them to the Guardrails Router.
Note: The Event Poller and Guardrails Event Handler are different mechanisms for sending information to Guardrails. You should enable one or the other, but not both.
tmod:@turbot/aws#/policy/types/eventPoller
"{\n eventHandlersValue: policy(uri: \"tmod:@turbot/aws#/policy/types/eventHandlers\")\n globalEventHandlersValue: policy(uri: \"tmod:@turbot/aws#/policy/types/eventHandlersGlobal\")\n}\n"
"{% if $.eventHandlersValue == 'Enforce: Configured' or $.globalEventHandlersValue == 'Enforce: Configured' %}Disabled{% else %}Enabled{% endif %}\n"
{ "type": "string", "enum": [ "Enabled", "Disabled" ]}
AWS > Turbot > Event Poller > Excluded Events
A list of events that will be filtered out while processing events that are captured via AWS > Turbot > Event Poller
.
Example:<br /> - support:RefreshTrustedAdvisorCheck<br /> - ssm:UpdateInstanceInformation<br /> - ssm:Update*<br />
tmod:@turbot/aws#/policy/types/eventPollerExcludedEvents
{ "type": "array", "items": { "type": "string", "pattern": "^[a-zA-Z0-9]+[:][a-zA-Z0-9*?]+$" }, "default": [ "support:RefreshTrustedAdvisorCheck" ]}
AWS > Turbot > Event Poller > Interval
The polling interval. This policy determines how often
the event poller will run.
tmod:@turbot/aws#/policy/types/eventPollerInterval
[ "Every 1 minute", "Every 2 minutes", "Every 3 minutes", "Every 4 minutes", "Every 5 minutes", "Every 6 minutes", "Every 7 minutes", "Every 8 minutes", "Every 9 minutes", "Every 10 minutes"]
{ "type": "string", "enum": [ "Every 1 minute", "Every 2 minutes", "Every 3 minutes", "Every 4 minutes", "Every 5 minutes", "Every 6 minutes", "Every 7 minutes", "Every 8 minutes", "Every 9 minutes", "Every 10 minutes" ], "default": "Every 2 minutes"}
AWS > Turbot > Event Poller > Window
The polling window, in minutes. This policies determines the oldest events the event poller will retrieve. For example, setting the window to '15 minutes' will cause the poller to retrieve all events from the previous 15 minutes every time it runs.
The Window must be greater than the Interval, and it is recommended to be at least twice the Interval. For example, if the Interval is 'Every 5 Minutes', the Window should be at least '10 Minutes'.
tmod:@turbot/aws#/policy/types/eventPollerWindow
[ "15 minutes", "16 minutes", "17 minutes", "18 minutes", "19 minutes", "20 minutes", "21 minutes", "22 minutes", "23 minutes", "24 minutes", "25 minutes", "26 minutes", "27 minutes", "28 minutes", "29 minutes", "30 minutes"]
{ "type": "string", "enum": [ "15 minutes", "16 minutes", "17 minutes", "18 minutes", "19 minutes", "20 minutes", "21 minutes", "22 minutes", "23 minutes", "24 minutes", "25 minutes", "26 minutes", "27 minutes", "28 minutes", "29 minutes", "30 minutes" ], "default": "15 minutes"}
AWS > Turbot > Logging
AWS > Turbot > Logging > Bucket
Configure the Guardrails Logging Bucket stack.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucket
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}
AWS > Turbot > Logging > Bucket > Access Logging
Configure server access logging on the AWS S3 Bucket.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketAccessLogging
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "example": [ "Disabled" ], "default": "Disabled"}
AWS > Turbot > Logging > Bucket > Access Logging > Bucket
Configure server access logging on the AWS S3 Bucket.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketAccessLoggingBucket
{ "type": "string", "pattern": "^[a-zA-Z0-9._-]{1,255}$", "default": ""}
AWS > Turbot > Logging > Bucket > Access Logging > Bucket > Key Prefix
Configure server access logging on the AWS S3 Bucket.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketAccessLoggingBucketKeyPrefix
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}
AWS > Turbot > Logging > Bucket > Default Encryption
Configure default encryption on the AWS S3 Bucket.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketDefaultEncryption
[ "None", "AWS SSE"]
{ "type": "string", "enum": [ "None", "AWS SSE" ], "example": [ "AWS SSE" ], "default": "AWS SSE"}
AWS > Turbot > Logging > Bucket > Encryption in Transit
Configure Encryption in Transit on the AWS S3 Bucket.
This stack configures an AWS S3 Bucket for use as a destination for logs from other AWS services.
If Encryption in Transit is set to Enabled
, the below statement will be applied to the S3 Bucket.<br />{<br /> Sid: "MustBeEncryptedInTransit",<br /> Effect: "Deny",<br /> Principal: "*",<br /> Action: "s3:*",<br /> Resource: ['arn:${partition}:s3:::${bucketName}', 'arn:${partition}:s3:::${bucketName}/*'],<br /> Condition: {<br /> Bool: {<br /> "aws:SecureTransport": "false"<br /> }<br /> }<br />}<br />
tmod:@turbot/aws#/policy/types/loggingBucketEncryptionInTransit
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "example": [ "Disabled" ], "default": "Disabled"}
AWS > Turbot > Logging > Bucket > Name
A read-only policy that displays the calculated Guardrails logging bucket name
for this region.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketName
{ "type": "string"}
AWS > Turbot > Logging > Bucket > Name > Prefix
A string to be used as a prefix to the guardrails generated name
on the Guardrails logging bucket. The name will be pre-pended
with this value.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketNamePrefix
{ "type": "string", "default": "turbot-", "example": "turbot-"}
AWS > Turbot > Logging > Bucket > Regions
A list of regions in which to create Guardrails logging buckets.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketRegions
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n approvedRegionsPolicy: policy(uri: \"#/policy/types/approvedRegionsDefault\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]
"{% for item in $.approvedRegionsPolicy %}- '{{ item }}'\n{% endfor %}"
AWS > Turbot > Logging > Bucket > Source
The Terraform source used to configure the Guardrails Logging Bucket stack.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
This policy is read-only, as source is generated by Guardrails.
tmod:@turbot/aws#/policy/types/loggingBucketSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "json" }}
AWS > Turbot > Logging > Bucket > Tags
A list of key:value pairs to add as AWS tags on the Guardrails
logging bucket.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketTags
AWS > Turbot > Logging > Bucket > Versioning
Configure versioning on the AWS S3 Bucket.
This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.
tmod:@turbot/aws#/policy/types/loggingBucketVersioning
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "example": [ "Enabled" ], "default": "Enabled"}
AWS > Turbot > Logging > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/loggingBucketTerraformVersion
{ "type": "string"}
AWS > Turbot > Service Roles
Configure standard Guardrails Service Roles for services such as AWS, VPC
Flow logs, etc..
tmod:@turbot/aws#/policy/types/serviceRoles
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}
AWS > Turbot > Service Roles > Configuration Recording
Configure the standard Guardrails Service Role for the AWS Config service.
tmod:@turbot/aws#/policy/types/serviceRolesConfigurationRecording
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
AWS > Turbot > Service Roles > Configuration Recording > Name
The resource name for standard Guardrails IAM Config Service Role.
This policy is read-only, and generated by Guardrails based on theService Roles > Name Prefix
policy.
tmod:@turbot/aws#/policy/types/serviceRolesConfigurationRecordingName
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]
"{{ $.roleNamePrefix }}config"
{ "type": "string"}
AWS > Turbot > Service Roles > Default EC2 Instance
Configure the standard Guardrails Service Role for use with AWS EC2 instances.
tmod:@turbot/aws#/policy/types/serviceRolesDefaultEc2Instance
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
AWS > Turbot > Service Roles > Default EC2 Instance > Name
The resource name for standard Guardrails IAM default EC2 instance Service Role.
tmod:@turbot/aws#/policy/types/serviceRolesDefaultEc2InstanceName
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]
"{{ $.roleNamePrefix }}default_ec2_instance_role"
{ "type": "string"}
AWS > Turbot > Service Roles > Default EC2 Instance > SSM Permissions
Configure the standard Guardrails Service Role for the AWS default EC2 instance service with SSM Permissions.
tmod:@turbot/aws#/policy/types/serviceRolesDefaultEc2InstanceSsmPermissions
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
AWS > Turbot > Service Roles > Event Handlers [Global]
Configure the standard Guardrails Service Role for the AWS > Turbot > Event Handlers [Global]
stack.
tmod:@turbot/aws#/policy/types/serviceRolesEventHandlersGlobal
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Disabled"}
AWS > Turbot > Service Roles > Event Handlers [Global] > Name
The resource name for standard Guardrails AWS > Turbot > Service Roles > Event Handlers [Global]
role.
This policy is read-only, and generated by Guardrails based on the Service Roles > Name Prefix
policy.
tmod:@turbot/aws#/policy/types/serviceRolesEventHandlersGlobalName
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]
"{{ $.roleNamePrefix }}aws_api_events_global"
{ "type": "string"}
AWS > Turbot > Service Roles > Flow Logging
Configure the standard Guardrails Service Role for the AWS VPC Flow Logging service.
tmod:@turbot/aws#/policy/types/serviceRolesFlowLogging
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
AWS > Turbot > Service Roles > Flow Logging > Name
The resource name for standard Guardrails IAM VPC Flow Logging Service Role.
tmod:@turbot/aws#/policy/types/serviceRolesFlowLoggingName
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]
"{{ $.roleNamePrefix }}vpc_flow_logging"
{ "type": "string"}
AWS > Turbot > Service Roles > Name Path
The value to be used in resource path names for standard Guardrails Service Roles.
The path should start and end with a slash (/)
tmod:@turbot/aws#/policy/types/serviceRolesNamePath
{ "type": "string", "default": "/turbot/"}
AWS > Turbot > Service Roles > Name Prefix
A prefix to be used in resource names for standard Guardrails IAM Service Roles.
tmod:@turbot/aws#/policy/types/serviceRolesNamePrefix
{ "type": "string", "default": "turbot_"}
AWS > Turbot > Service Roles > SSM Notifications
Configure the standard Guardrails Service Role for the AWS SSM Notifications.
tmod:@turbot/aws#/policy/types/serviceRolesSsmNotifications
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
AWS > Turbot > Service Roles > SSM Notifications > Name
A value to add as SSM Notifications name.
tmod:@turbot/aws#/policy/types/serviceRolesSsmNotificationsName
"{\n item: account {\n turbot{\n id\n }\n }\n roleNamePrefix: policy(uri: \"#/policy/types/serviceRolesNamePrefix\")\n}\n"
"'{{ $.roleNamePrefix }}ssm_notifications_role'"
{ "type": "string"}
AWS > Turbot > Service Roles > Source
The Terraform source used to configure the standard Guardrails Service Roles.
This policy is read-only, as the stack source is generated by Guardrails
tmod:@turbot/aws#/policy/types/serviceRolesSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > Turbot > Service Roles > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/aws#/policy/types/serviceRolesTerraformVersion
{ "type": "string"}