Policy types for @turbot/aws
- AWS > Account > Approved Regions [Default]
- AWS > Account > Budget > Enabled
- AWS > Account > Budget > State
- AWS > Account > Budget > Target
- AWS > Account > CMDB
- AWS > Account > Partition
- AWS > Account > Regions
- AWS > Account > Stack
- AWS > Account > Stack > Secret Variables
- AWS > Account > Stack > Source
- AWS > Account > Stack > Terraform Version
- AWS > Account > Stack > Variables
- AWS > Account > Tags Template [Default]
- AWS > Account > Trusted Accounts [Default]
- AWS > Account > Trusted Identity Providers [Default]
- AWS > Account > Trusted Organizations [Default]
- AWS > Account > Trusted Services [Default]
- AWS > Account > Turbot IAM Access Key ID
- AWS > Account > Turbot IAM Credential Type
- AWS > Account > Turbot IAM Role
- AWS > Account > Turbot IAM Role > Assume Role Timeout
- AWS > Account > Turbot IAM Role > External ID
- AWS > Account > Turbot IAM Role > External ID > Protection
- AWS > Account > Turbot IAM Secret Access Key
- AWS > Region > Discovery
- AWS > Region > Discovery > Connection Region
- AWS > Region > Logging Bucket [Default]
- AWS > Region > Stack
- AWS > Region > Stack > Secret Variables
- AWS > Region > Stack > Source
- AWS > Region > Stack > Terraform Version
- AWS > Region > Stack > Variables
- AWS > Turbot
- AWS > Turbot > Audit Trail
- AWS > Turbot > Audit Trail > CloudTrail
- AWS > Turbot > Audit Trail > CloudTrail > Trail
- AWS > Turbot > Audit Trail > CloudTrail > Trail > CloudWatch Role
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Enabled
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Event Selectors
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Global Region
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Include Global Service Events
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Log File Validation
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Name
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Name Prefix
- AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket
- AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Key Prefix
- AWS > Turbot > Audit Trail > CloudTrail > Trail > SNS Topic
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Tags
- AWS > Turbot > Audit Trail > CloudTrail > Trail > Type
- AWS > Turbot > Audit Trail > Source
- AWS > Turbot > Audit Trail > Terraform Version
- AWS > Turbot > Event Handlers
- AWS > Turbot > Event Handlers > Events
- AWS > Turbot > Event Handlers > Events > Rules
- AWS > Turbot > Event Handlers > Events > Rules > Account Filter
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > Billing Console
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources
- AWS > Turbot > Event Handlers > Events > Rules > Name Prefix
- AWS > Turbot > Event Handlers > Events > Rules > Tags
- AWS > Turbot > Event Handlers > SNS
- AWS > Turbot > Event Handlers > SNS > Topic
- AWS > Turbot > Event Handlers > SNS > Topic > Customer Managed Key
- AWS > Turbot > Event Handlers > SNS > Topic > Name Prefix
- AWS > Turbot > Event Handlers > SNS > Topic > Tags
- AWS > Turbot > Event Handlers > Source
- AWS > Turbot > Event Handlers > Terraform Version
- AWS > Turbot > Event Handlers [Global]
- AWS > Turbot > Event Handlers [Global] > Events
- AWS > Turbot > Event Handlers [Global] > Events > Rules
- AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix
- AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags
- AWS > Turbot > Event Handlers [Global] > Events > Target
- AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN
- AWS > Turbot > Event Handlers [Global] > Primary Region
- AWS > Turbot > Event Handlers [Global] > SNS
- AWS > Turbot > Event Handlers [Global] > SNS > Topic
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags
- AWS > Turbot > Event Handlers [Global] > Source
- AWS > Turbot > Event Handlers [Global] > Terraform Version
- AWS > Turbot > Event Poller
- AWS > Turbot > Event Poller > Excluded Events
- AWS > Turbot > Event Poller > Interval
- AWS > Turbot > Event Poller > Window
- AWS > Turbot > Logging
- AWS > Turbot > Logging > Bucket
- AWS > Turbot > Logging > Bucket > Access Logging
- AWS > Turbot > Logging > Bucket > Access Logging > Bucket
- AWS > Turbot > Logging > Bucket > Access Logging > Bucket > Key Prefix
- AWS > Turbot > Logging > Bucket > Default Encryption
- AWS > Turbot > Logging > Bucket > Encryption in Transit
- AWS > Turbot > Logging > Bucket > Name
- AWS > Turbot > Logging > Bucket > Name > Prefix
- AWS > Turbot > Logging > Bucket > Regions
- AWS > Turbot > Logging > Bucket > Source
- AWS > Turbot > Logging > Bucket > Tags
- AWS > Turbot > Logging > Bucket > Versioning
- AWS > Turbot > Logging > Terraform Version
- AWS > Turbot > Service Roles
- AWS > Turbot > Service Roles > Configuration Recording
- AWS > Turbot > Service Roles > Configuration Recording > Name
- AWS > Turbot > Service Roles > Default EC2 Instance
- AWS > Turbot > Service Roles > Default EC2 Instance > Name
- AWS > Turbot > Service Roles > Default EC2 Instance > SSM Permissions
- AWS > Turbot > Service Roles > Event Handlers [Global]
- AWS > Turbot > Service Roles > Event Handlers [Global] > Name
- AWS > Turbot > Service Roles > Flow Logging
- AWS > Turbot > Service Roles > Flow Logging > Name
- AWS > Turbot > Service Roles > Name Path
- AWS > Turbot > Service Roles > Name Prefix
- AWS > Turbot > Service Roles > SSM Notifications
- AWS > Turbot > Service Roles > SSM Notifications > Name
- AWS > Turbot > Service Roles > Source
- AWS > Turbot > Service Roles > Terraform Version
AWS > Account > Approved Regions [Default]
A list of AWS regions in which resources are approved for use.\n\nThe expected format is an array of regions names. You may use the '*' and\n'?' wildcard characters.\n\nThis policy is the default value for all AWS services' Approved Regions\npolicies.\n\nThis policy is also used as the default value for AWS > Turbot > Logging >\nBucket > Regions, which determines in which regions to create Guardrails S3\nlogging buckets.\n
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/regionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > Account > Budget > Enabled
Determine whether budget reporting is enabled for the AWS Account.\n\nIf enabled, the Budget control will gather cost data\nfrom the cloud provider, and will alarm if the\nBudget > State reaches the configured threshold.\n
[ "Skip", "Check: Budget > State is On Target or below"]{ "type": "string", "enum": [ "Skip", "Check: Budget > State is On Target or below" ], "example": [ "Skip" ], "default": "Skip"}AWS > Account > Budget > State
The current state of the budget, based on the Current Spend,\nForecast Spend, and Thresholds\n\nNote: The default (calculated) value is usually appropriate, however\nyou can override the Guardrails behavior by setting this policy (either\nvia calculated policy or immediate value). DON'T CHANGE THIS UNLESS\nYOU KNOW WHAT YOU"RE DOING!\n
[ "{\n item: account {\n turbot {\n id\n }\n }\n}\n", "{\n target: policy(uri: \"#/policy/types/accountBudgetLimit\")\n budgetEnabled: policy(uri: \"#/policy/types/accountBudgetEnabled\")\n budgetData: resources(filter: \"resourceTypeId:'tmod:@turbot/aws#/resource/types/budget' resourceId:{{ $.item.turbot.id }}\") {\n items{\n currentMonthActualSpend: get(path:\"currentMonthActualSpend\")\n currentMonthForecastSpend: get(path:\"currentMonthForecastSpend\")\n lastUpdatedTime: get(path:\"lastUpdatedTime\")\n metadata\n }\n }\n}\n"]"'{%- if $.budgetEnabled == "Skip" -%}\n Unknown\n {%- elif $.budgetData.items[0].metadata.budgetUpdatedSince >= 23 or $.budgetData.items[0].currentMonthForecastSpend === "" or $.budgetData.items[0].currentMonthActualSpend === "" or $.target === -1 -%}\n Unknown\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 5 * $.target or $.budgetData.items[0].currentMonthActualSpend >= 3 * $.target -%}\n Shutdown\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 3 * $.target or $.budgetData.items[0].currentMonthActualSpend >= 2 * $.target -%}\n Critical\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 1.25 * $.target or $.budgetData.items[0].currentMonthActualSpend > 1 * $.target -%}\n Over\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 0.5 * $.target -%}\n On target\n {%- elif $.budgetData.items[0].currentMonthForecastSpend >= 0.1 * $.target -%}\n Under\n {%- else -%}\n Unused\n {%- endif -%}'\n"{ "type": "string", "enum": [ "Unknown", "Unused", "Under", "On target", "Over", "Critical", "Shutdown" ]}AWS > Account > Budget > Target
The budget target for this AWS Account, in US Dollars. The Budget > state is calculated\nby comparing this target to the Current Spend and Forecast Spend.\n\nNote: You must change this value from the default in order to enforce budget actions\n
{ "type": "number", "default": -1}AWS > Account > CMDB
Configure whether to record and synchronize details for the AWS account into the CMDB.\n\nThe CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.\nAll policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".\n\nIf set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.\n\nTo cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".\n
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > Account > Partition
The AWS partition for this account. By default, Guardrails will determine the\npartition by parsing the AWS > Account > Guardrails IAM Role, though you can\noverride this behavior if required.\n\nFor standard AWS regions, the partition is aws. For resources in the AWS GovCloud\n(US-West) region is aws-us-gov.\n\nNote: The default (calculated) value is usually appropriate, however\nyou can override the Guardrails behavior by setting this policy (either\nvia calculated policy or immediate value). DON'T CHANGE THIS UNLESS\nYOU KNOW WHAT YOU"RE DOING!\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n iamRole: policy(uri:\"#/policy/types/turbotIamRole\" resourceId:\"{{ $.account.turbot.id }}\")\n}\n"]"{% if $.iamRole %}{{ $.iamRole.split(':')[1] }}{% else %}{% endif %}"AWS > Account > Regions
A list of AWS regions in which resources are recorded.\n\nThe expected format is an array of regions names.\n\nThis policy is the default value for all AWS services' Regions policies.\n
{ "type": "array", "default": [ "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2", "us-gov-east-1", "us-gov-west-1", "cn-north-1", "cn-northwest-1" ], "items": { "type": "string", "pattern": "^[a-z0-9-]+$" }}AWS > Account > Stack
Configure a custom stack on AWS, per the custom Stack > Source.\n\nA Guardrails Stack is a set of resources configured by Guardrails, as specified\nvia Terraform source. Stacks are responsible for the creation and deletion\nof multiple resources. Once created, stack resources are responsible for\nconfiguring themselves from the stack source via their Configured control.\n
[ "Skip", "Check: Configured", "Enforce: Configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Enforce: Configured" ], "default": "Skip"}AWS > Account > Stack > Secret Variables
Terraform secret variables in Terraform HCL that will be used as\ninputs to the stack as a .tfvars file.\n\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Account > Stack > Source
The Terraform HCL source used to configure this stack.\n\nA Guardrails Stack is a set of resources configured by Guardrails, as specified\nvia Terraform source. Stacks are responsible for the creation and deletion\nof multiple resources. Once created, stack resources are responsible for\nconfiguring themselves from the stack source via their Configured control.\n
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Account > Stack > Terraform Version
The Version of Terraform to use for this stack.\nSpecify an npm-style semver string to\ndetermine which version of the Terraform container\nGuardrails will use to run this stack.\n\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
"{\n terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n""{% if $.terraformVersion %}"{{$.terraformVersion}}"{% else %}""{% endif %}"{ "type": "string"}AWS > Account > Stack > Variables
Terraform variables in Terraform HCL that will be used as\ninputs to the stack as a .tfvars file.\n\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Account > Tags Template [Default]
A template used to generate the keys and values for AWS\nresources. By default, all AWS service Tags Template [Default]\npolicies will use this value.\n
"{\n defaultTags: resource {\n tags(resolution: RECOMMENDED)\n }\n}\n""{%- if $.defaultTags.tags | length == 0 %} [] {%- elif $.defaultTags.tags != undefined %}{{ $.defaultTags.tags | dump | safe }}{% endif %}"AWS > Account > Trusted Accounts [Default]
A list of AWS Account IDs that users may share resources with.\n\nThe expected format is an array of account IDs.\n\nThis policy is the default value for all AWS services' Trusted Accounts policies.\n\n\nexample:\n - "013122550996"\n - "560741234067"\n\n
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "(?:^[0-9]{12}$|^\\*$)" }}AWS > Account > Trusted Identity Providers [Default]
A list of AWS federation principals that users may share resources with.\n\nThe expected format is an array of identity providers.\n\nThis policy is the default value for all AWS services' Trusted Identity Providers policies.\n\n\nexample:\n - www.google.com\n - www.facebook.com\n\n
{ "type": "array", "default": [ "*" ], "items": { "type": "string" }}AWS > Account > Trusted Organizations [Default]
A list of AWS Organization IDs that users may share resources with.\n\nThe expected format is an array of organization IDs.\n\nThis policy is the default value for all AWS services' Trusted Organizations policies.\n\n\nexample:\n - "o-333333333"\n - "o-c3a5y4wd52"\n\n
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)" }}AWS > Account > Trusted Services [Default]
A list of AWS service principals that users may share resources with.\n\nThe expected format is an array of services.\n\nThis policy is the default value for all AWS services' Trusted Services policies.\n\n\nexample:\n - sns.amazonaws.com\n - ec2.amazonaws.com\n\n
{ "type": "array", "default": [ "*" ], "items": { "type": "string", "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)" }}AWS > Account > Turbot IAM Access Key ID
IAM access key ID used by Guardrails for access to the AWS account.
{ "type": "string", "pattern": "^A[KS]IA[A-Z0-9]{16}$"}AWS > Account > Turbot IAM Credential Type
IAM credential type that Guardrails will use for access to the AWS account. Guardrails recommends setting this policy value to 'Role'.
[ "Role", "Access key pair"]{ "type": "string", "enum": [ "Role", "Access key pair" ], "default": "Role"}AWS > Account > Turbot IAM Role
IAM Role used by Guardrails for access to the AWS account.
{ "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:iam::[0-9]{12}:role(/[A-Za-z0-9.,+@=_-]+)*/[A-Za-z0-9+=,.@_-]{1,64}$"}AWS > Account > Turbot IAM Role > Assume Role Timeout
The timeout in minutes used when Guardrails assumes IAM roles in AWS accounts\nfor background tasks.\n
{ "type": "integer", "minimum": 15, "maximum": 60, "default": 60}AWS > Account > Turbot IAM Role > External ID
External ID for secure access to the Turbot IAM Role
{ "type": "string", "minLength": 1}AWS > Account > Turbot IAM Role > External ID > Protection
When generating credentials for the AWS account, check if the role's external ID is in the protected format, e.g., turbot:123456789012345:foo, and if it is, check if the turbot resource ID is for the workspace's turbot resource. If the turbot resource ID does not match, credentials will not be generated.\n\nIf set to Protected, the external ID must be in the protected format for credentials to be generated.\n
[ "Open", "Protected"]{ "type": "string", "enum": [ "Open", "Protected" ], "default": "Open"}AWS > Account > Turbot IAM Secret Access Key
IAM secret access key used by Guardrails for access to the AWS account.
{ "type": "string", "pattern": "^[A-z0-9/+=]{40}$"}AWS > Region > Discovery
AWS > Region > Discovery > Connection Region
Configure the connection region which would be used to discover regions in an AWS > Account.\n
"{\n partition: policy(uri:\"tmod:@turbot/aws#/policy/types/partition\")\n}\n""{% if $.partition === "aws-cn" %}"cn-north-1"{% elif $.partition === "aws-us-gov" %}"us-gov-west-1"{% else %}"us-east-1"{% endif %}"{ "type": "string", "pattern": "^[a-z0-9-]+$"}AWS > Region > Logging Bucket [Default]
Specifies an S3 bucket to be used as the default logging\ndestination in this region.\n\nThis policy is referenced by other policy to provide a single\nconfigurable logging destination across services.\n
[ "{\n region {\n turbot {\n id\n }\n }\n}\n", "{\n bucketName: policy(uri:\"#/policy/types/loggingBucketName\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"]"{{ $.bucketName }}"{ "type": "string"}AWS > Region > Stack
Configure a custom stack on AWS, per the custom Stack > Source.\n\nA Guardrails Stack is a set of resources configured by Guardrails, as specified\nvia Terraform source. Stacks are responsible for the creation and deletion\nof multiple resources. Once created, stack resources are responsible for\nconfiguring themselves from the stack source via their Configured control.\n
[ "Skip", "Check: Configured", "Enforce: Configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Enforce: Configured" ], "default": "Skip"}AWS > Region > Stack > Secret Variables
Terraform secret variables in Terraform HCL that will be used as\ninputs to the stack as a .tfvars file.\n\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Region > Stack > Source
The Terraform HCL source used to configure this stack.\n\nA Guardrails Stack is a set of resources configured by Guardrails, as specified\nvia Terraform source. Stacks are responsible for the creation and deletion\nof multiple resources. Once created, stack resources are responsible for\nconfiguring themselves from the stack source via their Configured control.\n
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Region > Stack > Terraform Version
The Version of Terraform to use for this stack.\nSpecify an npm-style semver string to\ndetermine which version of the Terraform container\nGuardrails will use to run this stack.\n\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
"{\n terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n""{% if $.terraformVersion %}"{{$.terraformVersion}}"{% else %}""{% endif %}"{ "type": "string"}AWS > Region > Stack > Variables
Terraform variables in Terraform HCL that will be used as\ninputs to the stack as a .tfvars file.\n\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Turbot
AWS > Turbot > Audit Trail
Configure the Turbot CloudTrail stack.\n\nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to\nrecord an audit trail of API calls to your AWS accounts.\n
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}AWS > Turbot > Audit Trail > CloudTrail
Placeholder
AWS > Turbot > Audit Trail > CloudTrail > Trail
Placeholder
AWS > Turbot > Audit Trail > CloudTrail > Trail > CloudWatch Role
The name of an IAM role that CloudTrail will assume to write logs to CloudWatch logs.\n\nIf CloudWatch Log forwarding is enabled, you must also specify a role that CloudTrail\ncan assume to write the logs. This role must have logs:CreateLogStream and logs:PutLogEvents\nfor the CloudWatch Log Group, and must allow the CloudTrail Service (cloudtrail.amazonaws.com)\nthe ability to assume the role\n\nThe role must already exist - the stack wont create it\n
{ "type": "string", "default": ""}AWS > Turbot > Audit Trail > CloudTrail > Trail > Enabled
The desired state of the CloudTrail. When disabled, a CloudTrail does not log\nany events\n\nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to\nrecord an audit trail of API calls to your AWS accounts.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key
The KMS key ID that encrypts the logs delivered by CloudTrail. The value is a\nfully specified ARN to a KMS key in the format:\n arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n\nIf a key is specified in this policy, SSE-KMS encryption will be enabled with this key. If the Encryption Key policy is blank, the default (SSE-S3) encryption will be used.\n\nThe key will not be created in this stack - it must already exist and CloudTrail\nmust have the correct permissions to use the key. Guardrails will not modify the key policy.\n
{ "type": "string", "default": ""}AWS > Turbot > Audit Trail > CloudTrail > Trail > Event Selectors
An event selector that specifies which events to log in the Guardrails Trail. If\nno event selector is specified, the trail will log all read and write\nmanagement events, and no data events\n\nThe Event Selectors policy allows you to specify up to 5 CloudTrail event selectors\nto further specify the management and S3 and/or lambda data event settings for the trail.\n\nBy default, trails created without specific event selectors will be configured to log\nall read and write management events, and no data events\n\nThe format of this policy is the native terraform hcl for event selectors\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }, "default": ""}AWS > Turbot > Audit Trail > CloudTrail > Trail > Global Region
The region in that will host the Guardrails Trail when configured to use a\nmulti-region trail.\n\nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to\nrecord an audit trail of API calls to your AWS accounts.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n partitionPolicy: policy(uri:\"#/policy/types/partition\" resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]"{% if $.partitionPolicy == 'aws' %}us-east-1{% else %}us-gov-west-1{% endif %}"AWS > Turbot > Audit Trail > CloudTrail > Trail > Include Global Service Events
Determine whether or not events from global services (such as IAM, STS, CloudFront, and Route 53) are logged to the Guardrails trail.\n\nIf you have multiple single region trails, consider configuring your trails so that global service events are delivered in only one of the trails.\n
[ "Enabled: Include Global Service Events", "Disabled: Do not include Global Service Events"]{ "type": "string", "enum": [ "Enabled: Include Global Service Events", "Disabled: Do not include Global Service Events" ], "default": "Enabled: Include Global Service Events"}AWS > Turbot > Audit Trail > CloudTrail > Trail > Log File Validation
Determine whether or not log file integrity validation is enabled for\nthe Guardrails trail.\n\nEnable CloudTrail log file integrity validation to determine whether a log file was\nmodified, deleted, or unchanged after CloudTrail delivered it.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}AWS > Turbot > Audit Trail > CloudTrail > Trail > Name
A policy that displays the calculated Guardrails CloudTrail name for\nthis region.\n\nThis stack configures a CloudTrail for use of auditing API calls.\n
{ "type": "string"}AWS > Turbot > Audit Trail > CloudTrail > Trail > Name Prefix
A string to be used as a prefix to the Guardrails generated name for the Guardrails\nmanaged CloudTrail. The name will be pre-pended with this value.\n\nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to\nrecord an audit trail of API calls to your AWS accounts.\n\nNote that this policy is ignored if the AWS > Turbot > Audit Trail > CloudTrail > Trail > Name policy has a policy setting defined explicitly.\n
{ "type": "string", "default": "turbot-", "example": "turbot-"}AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket
The name of an S3 bucket to which the Guardrails Trail will be delivered.\n\nCloudTrail must write to S3, thus this policy is required. The S3 bucket\nmust already exist (the stack will not create it) and the CloudTrail\nservice must be allowed write access. The bucket can reside in any\nregion of any account.\n
[ "{\n region {\n turbot {\n id\n }\n }\n}\n", "{\n bucketName: policy(uri:\"#/policy/types/loggingBucketDefault\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"]"{{ $.bucketName }}"{ "type": "string"}AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Key Prefix
An S3 key prefix to which the Guardrails Trail will be written.\n
{ "type": "string", "default": ""}AWS > Turbot > Audit Trail > CloudTrail > Trail > SNS Topic
An SNS Topic ARN to which to send notifications when CloudTrail publishes logs. If no topic is specified (the SNS Topic policy is blank), then SNS forwarding\nwill be disabled for the Guardrails Trail.\n\nNote that the SNS topic will not be created in this stack - it must already exist.\nThe SNS topic policy must allow CloudTrail to publish to the topic - The stack will\nnot update the policy\n
{ "type": "string", "default": "", "example": "arn:aws:sns:us-east-2:123456789012:MyTopic"}AWS > Turbot > Audit Trail > CloudTrail > Trail > Tags
A list of key:value pairs to add as AWS tags onto the Guardrails managed\nCloudTrail resource.\n\nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to\nrecord an audit trail of API calls to your AWS accounts.\n
AWS > Turbot > Audit Trail > CloudTrail > Trail > Type
The type of CloudTrail deployment to use with Guardrails Audit Trail.\n\nCloudTrail has options for multi-region or single region trails, as well as a new option for\nOrganization trails (for customers that leverage AWS Organizations). This provides\nflexibility in implementation (as well as backwards compatibility - neither multi-region nor\norganization trails were options when the service launched).\n\nNote that Guardrails must manage your Organization Master account in order to use an Organization\ntrail - this can only be configured from the Organization master account.\n
[ "A trail in each region of each account", "A multi-region trail in the `Trail > Global Region` in each account"]{ "type": "string", "enum": [ "A trail in each region of each account", "A multi-region trail in the `Trail > Global Region` in each account" ], "default": "A multi-region trail in the `Trail > Global Region` in each account"}AWS > Turbot > Audit Trail > Source
The Terraform source used to configure the Guardrails Audit Trail stack.\n\nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to\nrecord an audit trail of API calls to your AWS accounts.\n\nThis policy is read-only, as the Audit Trail source is generated by Guardrails\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Turbot > Audit Trail > Terraform Version
The Version of Terraform to use for this stack.\nSpecify an npm-style semver string to\ndetermine which version of the Terraform container\nGuardrails will use to run this stack.\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string"}AWS > Turbot > Event Handlers
Configure the Guardrails AWS Event Handlers stack. This stack configures the Eventbridge and SNS resources required for Guardrails real-time event routing. For more information refer to the AWS Event Handler documentation\n\nNotes:\n- The AWS Event Handler control ignores the Turbot > Change Window policy.\n- For proper management of AWS Event Handlers, the aws, aws-iam, aws-kms, aws-events and aws-sns mods must be installed. Additional information can be found in the required mods section of the AWS Event Handler docs.\n
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}AWS > Turbot > Event Handlers > Events
AWS > Turbot > Event Handlers > Events > Rules
AWS > Turbot > Event Handlers > Events > Rules > Account Filter
Configure whether to add the account filter to the EventBridge Rules created via the AWS > Turbot > Event Handlers stack. If Enabled, the EventBridge rules will raise events only for the account where the Event Handlers are deployed.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Disabled"}AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns
The cloudwatch event pattern use by the AWS S3 module to specify which\nevents to forward to the Guardrails Event Handlers.\n\nThis a read-only policy used internally by Guardrails.\n
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > Billing Console
The CloudWatch Events event pattern used by the AWS module to specify\nwhich events to forward to the Guardrails Event Handlers.\n
{ "type": "array", "items": { "type": "object", "properties": { "type": { "type": "object", "properties": { "title": { "type": "string" } } }, "value": { "type": "object", "properties": { "source": { "type": "array", "items": { "type": "string" } }, "detail-type": { "type": "array", "items": { "type": "string" } }, "detail": { "type": "object", "property": { "eventName": { "type": "array" } }, "required": [ "eventName" ] } }, "required": [ "source" ] } }, "required": [ "type" ] }, "default": [ { "type": { "title": "Billing Console", "name": "billingconsole" }, "value": { "source": [ "aws.billingconsole" ], "detail-type": [ "AWS Console Action via CloudTrail" ], "detail": { "eventName": [ "DisableRegion", "EnableRegion" ] } } } ]}AWS > Turbot > Event Handlers > Events > Rules > Event Sources
The Terraform source used to configure the Guardrails Event Handlers stack.\n\nThis stack configures AWS CloudWatch Events rules and targets, and SNS\ntopics and subscriptions to enable real-time event handling in an AWS\nregion.\n\nThis policy is read-only, as source is generated by Guardrails.\n
{ "type": "array", "items": { "type": "string" }}AWS > Turbot > Event Handlers > Events > Rules > Name Prefix
A string to be used as a prefix to the guardrails generated name on the\nGuardrails Event Handlers Cloudwatch Events rules. The names will be\npre-pended with this value.\n
{ "type": "string", "default": "turbot_", "example": "turbot_"}AWS > Turbot > Event Handlers > Events > Rules > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers Events rules.\n
AWS > Turbot > Event Handlers > SNS
AWS > Turbot > Event Handlers > SNS > Topic
AWS > Turbot > Event Handlers > SNS > Topic > Customer Managed Key
A Customer Managed KMS key used for server side encryption of the SNS\ntopic used created for the AWS Event Handlers.\n\nIf no key is specified, server side encryption will not be enabled.\n\nIf the specified key does not exist in AWS or is improperly specified in the policy,\nthe SNS topic will silently stop working and halt event handling for the\nregion. Resolve by picking an existing key or removing this policy.\n\nNote that the key will not be created in this stack - it must already\nexist. The key policy must grant the kms:GenerateDataKey* and kms:Decrypt\npermissions to Amazon CloudWatch Events (events.amazonaws.com). The Guardrails\nuser must also have permissions to decrypt messages with this CMK.\n\nSee https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html\n
{ "type": "string", "default": ""}AWS > Turbot > Event Handlers > SNS > Topic > Name Prefix
A string to be used as a prefix to the guardrails generated name on the\nGuardrails Event Handlers SNS topic. The name will be\npre-pended with this value.\n
{ "type": "string", "default": "turbot_", "example": "turbot_"}AWS > Turbot > Event Handlers > SNS > Topic > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers SNS topic.\n
AWS > Turbot > Event Handlers > Source
The Terraform source used to configure the Event Handlers stack.\nThis policy is read-only, as the Event Handlers source is generated by Guardrails\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "json" }}AWS > Turbot > Event Handlers > Terraform Version
The Version of Terraform to use for this stack.\nSpecify an npm-style semver string to\ndetermine which version of the Terraform container\nGuardrails will use to run this stack.\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string"}AWS > Turbot > Event Handlers [Global]
Configure the Guardrails AWS Event Handlers [Global] stack. This stack configures the Eventbridge and SNS resources required for Guardrails real-time event routing.\n\nNotes:\n- The AWS Event Handler control ignores the Turbot > Change Window policy.\n- For proper management of AWS Event Handlers [Global], the aws, aws-iam, aws-kms, aws-events and aws-sns mods must be installed. Additional information can be found in the required mods section of the AWS Event Handler docs.\n
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}AWS > Turbot > Event Handlers [Global] > Events
AWS > Turbot > Event Handlers [Global] > Events > Rules
AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix
A string to be used as a prefix to the Guardrails generated name on the\nGuardrails Event Handlers [Global] Cloudwatch Events rules. The names will be\npre-pended with this value.\n
{ "type": "string", "default": "turbot_", "example": "turbot_"}AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers [Global] Events rules.\n
AWS > Turbot > Event Handlers [Global] > Events > Target
AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN
The IAM Role used to forward events from the non-primary regions to the AWS > Turbot > Event Handlers [Global] > Primary Region. By default, this policy is set via the AWS > Turbot > Service Roles > Event Handlers [Global] policy, but can be overwritten if needed.\nThe below permissions are needed at minimum to allow the Role to forward events to the Primary Region correctly.\n\n{\n "Statement": [\n {\n "Action": [\n "events:PutEvents"\n ],\n "Effect": "Allow",\n "Resource": "arn:<partition>:events:<region>:<accountId>:event-bus/default"\n }\n ],\n "Version": "2012-10-17"\n}\n\n
{ "type": "string"}AWS > Turbot > Event Handlers [Global] > Primary Region
The primary region for the AWS > Turbot > Event Handlers [Global] stack. All EventBridge and SNS resources required for real-time event routing will be deployed in this region.\n
"{\n partition: policy(uri:\"tmod:@turbot/aws#/policy/types/partition\")\n}\n""{% if $.partition === "aws-cn" %}"cn-north-1"{% elif $.partition === "aws-us-gov" %}"us-gov-west-1"{% else %}"us-east-1"{% endif %}"{ "type": "string"}AWS > Turbot > Event Handlers [Global] > SNS
AWS > Turbot > Event Handlers [Global] > SNS > Topic
AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key
A Customer Managed KMS key used for server side encryption of the SNS\ntopic used created for the AWS Event Handlers [Global].\n\nIf no key is specified, server side encryption will not be enabled.\n\nIf the specified key does not exist in AWS or is improperly specified in the policy,\nthe SNS topic will silently stop working and halt event handling for the\nregion. Resolve by picking an existing key or removing this policy.\n\nNote that the key will not be created in this stack - it must already\nexist. The key policy must grant the kms:GenerateDataKey* and kms:Decrypt\npermissions to Amazon CloudWatch Events (events.amazonaws.com). The Guardrails\nuser must also have permissions to decrypt messages with this CMK.\n\nSee https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html\n
{ "type": "string", "default": ""}AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix
A string to be used as a prefix to the Guardrails generated name on the\nGuardrails Event Handlers [Global] SNS topic. The name will be\npre-pended with this value.\n
{ "type": "string", "default": "turbot_", "example": "turbot_"}AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags
A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers [Global] SNS topic.\n
AWS > Turbot > Event Handlers [Global] > Source
The Terraform source used to configure the Event Handlers [Global] stack.\nThis policy is read-only, as the Event Handlers [Global] source is generated by Guardrails.\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "json" }}AWS > Turbot > Event Handlers [Global] > Terraform Version
The Version of Terraform to use for this stack.\nSpecify an npm-style semver string to\ndetermine which version of the Terraform container\nGuardrails will use to run this stack.\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string"}AWS > Turbot > Event Poller
Configure the AWS Event Poller. When set to Enabled, the poller will run at the interval specified to retrieve the latest events and forward them to the Guardrails Router.\n\nNote: The Event Poller and Guardrails Event Handler are different mechanisms for sending information to Guardrails. You should enable one or the other, but not both.\n
"{\n value: policy(uri: \"tmod:@turbot/aws#/policy/types/eventHandlers\")\n}\n""{% if $.value == 'Enforce: Configured' %}Disabled{% else %}Enabled{% endif%}\n"{ "type": "string", "enum": [ "Enabled", "Disabled" ]}AWS > Turbot > Event Poller > Excluded Events
A list of events that will be filtered out while processing events that are captured via AWS > Turbot > Event Poller.\n\nExample:\n\n - support:RefreshTrustedAdvisorCheck\n - ssm:UpdateInstanceInformation\n - ssm:Update*\n\n
{ "type": "array", "items": { "type": "string", "pattern": "^[a-zA-Z0-9]+[:][a-zA-Z0-9*?]+$" }, "default": [ "support:RefreshTrustedAdvisorCheck" ]}AWS > Turbot > Event Poller > Interval
The polling interval. This policy determines how often\nthe event poller will run.\n
[ "Every 1 minute", "Every 2 minutes", "Every 3 minutes", "Every 4 minutes", "Every 5 minutes", "Every 6 minutes", "Every 7 minutes", "Every 8 minutes", "Every 9 minutes", "Every 10 minutes"]{ "type": "string", "enum": [ "Every 1 minute", "Every 2 minutes", "Every 3 minutes", "Every 4 minutes", "Every 5 minutes", "Every 6 minutes", "Every 7 minutes", "Every 8 minutes", "Every 9 minutes", "Every 10 minutes" ], "default": "Every 2 minutes"}AWS > Turbot > Event Poller > Window
The polling window, in minutes. This policies determines the oldest events the event poller will retrieve. For example, setting the window to '15 minutes' will cause the poller to retrieve all events from the previous 15 minutes every time it runs.\n\nThe Window must be greater than the Interval, and it is recommended to be at least twice the Interval. For example, if the Interval is 'Every 5 Minutes', the Window should be at least '10 Minutes'.\n
[ "15 minutes", "16 minutes", "17 minutes", "18 minutes", "19 minutes", "20 minutes", "21 minutes", "22 minutes", "23 minutes", "24 minutes", "25 minutes", "26 minutes", "27 minutes", "28 minutes", "29 minutes", "30 minutes"]{ "type": "string", "enum": [ "15 minutes", "16 minutes", "17 minutes", "18 minutes", "19 minutes", "20 minutes", "21 minutes", "22 minutes", "23 minutes", "24 minutes", "25 minutes", "26 minutes", "27 minutes", "28 minutes", "29 minutes", "30 minutes" ], "default": "15 minutes"}AWS > Turbot > Logging
AWS > Turbot > Logging > Bucket
Configure the Guardrails Logging Bucket stack.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}AWS > Turbot > Logging > Bucket > Access Logging
Configure server access logging on the AWS S3 Bucket.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
[ "Disabled", "Enabled"]{ "type": "string", "enum": [ "Disabled", "Enabled" ], "example": [ "Disabled" ], "default": "Disabled"}AWS > Turbot > Logging > Bucket > Access Logging > Bucket
Configure server access logging on the AWS S3 Bucket.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
{ "type": "string", "pattern": "^[a-zA-Z0-9._-]{1,255}$", "default": ""}AWS > Turbot > Logging > Bucket > Access Logging > Bucket > Key Prefix
Configure server access logging on the AWS S3 Bucket.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}AWS > Turbot > Logging > Bucket > Default Encryption
Configure default encryption on the AWS S3 Bucket.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
[ "None", "AWS SSE"]{ "type": "string", "enum": [ "None", "AWS SSE" ], "example": [ "AWS SSE" ], "default": "AWS SSE"}AWS > Turbot > Logging > Bucket > Encryption in Transit
Configure Encryption in Transit on the AWS S3 Bucket.\n\nThis stack configures an AWS S3 Bucket for use as a destination for logs from other AWS services.\nIf Encryption in Transit is set to Enabled, the below statement will be applied to the S3 Bucket.\n\n{\n Sid: "MustBeEncryptedInTransit",\n Effect: "Deny",\n Principal: "*",\n Action: "s3:*",\n Resource: ['arn:${partition}:s3:::${bucketName}', 'arn:${partition}:s3:::${bucketName}/*'],\n Condition: {\n Bool: {\n "aws:SecureTransport": "false"\n }\n }\n}\n\n
[ "Disabled", "Enabled"]{ "type": "string", "enum": [ "Disabled", "Enabled" ], "example": [ "Disabled" ], "default": "Disabled"}AWS > Turbot > Logging > Bucket > Name
A read-only policy that displays the calculated Guardrails logging bucket name\nfor this region.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
{ "type": "string"}AWS > Turbot > Logging > Bucket > Name > Prefix
A string to be used as a prefix to the guardrails generated name\non the Guardrails logging bucket. The name will be pre-pended\nwith this value.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
{ "type": "string", "default": "turbot-", "example": "turbot-"}AWS > Turbot > Logging > Bucket > Regions
A list of regions in which to create Guardrails logging buckets.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n approvedRegionsPolicy: policy(uri: \"#/policy/types/approvedRegionsDefault\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]"{% for item in $.approvedRegionsPolicy %}- '{{ item }}'\n{% endfor %}"AWS > Turbot > Logging > Bucket > Source
The Terraform source used to configure the Guardrails Logging Bucket stack.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n\nThis policy is read-only, as source is generated by Guardrails.\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "json" }}AWS > Turbot > Logging > Bucket > Tags
A list of key:value pairs to add as AWS tags on the Guardrails\nlogging bucket.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
AWS > Turbot > Logging > Bucket > Versioning
Configure versioning on the AWS S3 Bucket.\n\nThis stack configures an AWS S3 Bucket for use as a destination\nfor logs from other AWS services.\n
[ "Disabled", "Enabled"]{ "type": "string", "enum": [ "Disabled", "Enabled" ], "example": [ "Enabled" ], "default": "Enabled"}AWS > Turbot > Logging > Terraform Version
The Version of Terraform to use for this stack.\nSpecify an npm-style semver string to\ndetermine which version of the Terraform container\nGuardrails will use to run this stack.\n\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string"}AWS > Turbot > Service Roles
Configure standard Guardrails Service Roles for services such as AWS, VPC\nFlow logs, etc..\n
[ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured"]{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}AWS > Turbot > Service Roles > Configuration Recording
Configure the standard Guardrails Service Role for the AWS Config service.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}AWS > Turbot > Service Roles > Configuration Recording > Name
The resource name for standard Guardrails IAM Config Service Role.\nThis policy is read-only, and generated by Guardrails based on the\nService Roles > Name Prefix policy.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]"{{ $.roleNamePrefix }}config"{ "type": "string"}AWS > Turbot > Service Roles > Default EC2 Instance
Configure the standard Guardrails Service Role for use with AWS EC2 instances.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}AWS > Turbot > Service Roles > Default EC2 Instance > Name
The resource name for standard Guardrails IAM default EC2 instance Service Role.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]"{{ $.roleNamePrefix }}default_ec2_instance_role"{ "type": "string"}AWS > Turbot > Service Roles > Default EC2 Instance > SSM Permissions
Configure the standard Guardrails Service Role for the AWS default EC2 instance service with SSM Permissions.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}AWS > Turbot > Service Roles > Event Handlers [Global]
Configure the standard Guardrails Service Role for the AWS > Turbot > Event Handlers [Global] stack.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Disabled"}AWS > Turbot > Service Roles > Event Handlers [Global] > Name
The resource name for standard Guardrails AWS > Turbot > Service Roles > Event Handlers [Global] role.\nThis policy is read-only, and generated by Guardrails based on the Service Roles > Name Prefix policy.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]"{{ $.roleNamePrefix }}aws_api_events_global"{ "type": "string"}AWS > Turbot > Service Roles > Flow Logging
Configure the standard Guardrails Service Role for the AWS VPC Flow Logging service.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}AWS > Turbot > Service Roles > Flow Logging > Name
The resource name for standard Guardrails IAM VPC Flow Logging Service Role.\n
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"]"{{ $.roleNamePrefix }}vpc_flow_logging"{ "type": "string"}AWS > Turbot > Service Roles > Name Path
The value to be used in resource path names for standard Guardrails Service Roles.\nThe path should start and end with a slash (/)\n
{ "type": "string", "default": "/turbot/"}AWS > Turbot > Service Roles > Name Prefix
A prefix to be used in resource names for standard Guardrails IAM Service Roles.\n
{ "type": "string", "default": "turbot_"}AWS > Turbot > Service Roles > SSM Notifications
Configure the standard Guardrails Service Role for the AWS SSM Notifications.\n
[ "Enabled", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}AWS > Turbot > Service Roles > SSM Notifications > Name
A value to add as SSM Notifications name.\n
"{\n item: account {\n turbot{\n id\n }\n }\n roleNamePrefix: policy(uri: \"#/policy/types/serviceRolesNamePrefix\")\n}\n""'{{ $.roleNamePrefix }}ssm_notifications_role'"{ "type": "string"}AWS > Turbot > Service Roles > Source
The Terraform source used to configure the standard Guardrails Service Roles.\nThis policy is read-only, as the stack source is generated by Guardrails\n
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > Turbot > Service Roles > Terraform Version
The Version of Terraform to use for this stack.\nSpecify an npm-style semver string to\ndetermine which version of the Terraform container\nGuardrails will use to run this stack.\nA Guardrails Stack is a set of resources configured by Guardrails,\nas specified via Terraform source. Stacks are responsible\nfor the creation and deletion of multiple resources. Once created,\nstack resources are responsible for configuring themselves from\nthe stack source via their Configured control.\n
{ "type": "string"}