Product logo
DocsBlogPricing

Policy types for @turbot/aws

AWS > Account > Approved Regions [Default]

A list of AWS regions in which resources are approved for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all AWS services' Approved Regions
policies.

This policy is also used as the default value for AWS > Turbot > Logging &gt;<br />Bucket > Regions, which determines in which regions to create Guardrails S3
logging buckets.

URI
tmod:@turbot/aws#/policy/types/approvedRegionsDefault
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/regionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > Account > Budget > Enabled

Determine whether budget reporting is enabled for the AWS Account.

If enabled, the Budget control will gather cost data
from the cloud provider, and will alarm if the
Budget > State reaches the configured threshold.

URI
tmod:@turbot/aws#/policy/types/accountBudgetEnabled
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Budget > State is On Target or below"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Budget > State is On Target or below"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > Account > Budget > State

The current state of the budget, based on the Current Spend,
Forecast Spend, and Thresholds

Note: The default (calculated) value is usually appropriate, however
you can override the Guardrails behavior by setting this policy (either
via calculated policy or immediate value). DON'T CHANGE THIS UNLESS
YOU KNOW WHAT YOU"RE DOING!

URI
tmod:@turbot/aws#/policy/types/accountBudgetState
Category
Parent
Targets
Default Template Input
[
  "{\n  item: account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  target: policy(uri: \"#/policy/types/accountBudgetLimit\")\n  budgetEnabled: policy(uri: \"#/policy/types/accountBudgetEnabled\")\n  budgetData: resources(filter: \"resourceTypeId:'tmod:@turbot/aws#/resource/types/budget' resourceId:{{ $.item.turbot.id }}\") {\n    items{\n      currentMonthActualSpend: get(path:\"currentMonthActualSpend\")\n      currentMonthForecastSpend: get(path:\"currentMonthForecastSpend\")\n      lastUpdatedTime: get(path:\"lastUpdatedTime\")\n      metadata\n    }\n  }\n}\n"
]
Default Template
"&#39;{%- if $.budgetEnabled == &quot;Skip&quot; -%}&#92;n  Unknown&#92;n  {%- elif $.budgetData.items[0].metadata.budgetUpdatedSince &gt;= 23 or $.budgetData.items[0].currentMonthForecastSpend === &quot;&quot; or $.budgetData.items[0].currentMonthActualSpend === &quot;&quot; or $.target === -1 -%}&#92;n  Unknown&#92;n  {%- elif $.budgetData.items[0].currentMonthForecastSpend &gt;= 5 * $.target or $.budgetData.items[0].currentMonthActualSpend &gt;= 3 * $.target -%}&#92;n  Shutdown&#92;n  {%- elif $.budgetData.items[0].currentMonthForecastSpend &gt;= 3 * $.target or $.budgetData.items[0].currentMonthActualSpend &gt;= 2 * $.target -%}&#92;n  Critical&#92;n  {%- elif $.budgetData.items[0].currentMonthForecastSpend &gt;= 1.25 * $.target or $.budgetData.items[0].currentMonthActualSpend &gt; 1 * $.target -%}&#92;n  Over&#92;n  {%- elif $.budgetData.items[0].currentMonthForecastSpend &gt;= 0.5 * $.target -%}&#92;n  On target&#92;n  {%- elif $.budgetData.items[0].currentMonthForecastSpend &gt;= 0.1 * $.target -%}&#92;n  Under&#92;n  {%- else -%}&#92;n  Unused&#92;n  {%- endif -%}&#39;&#92;n"
Schema
{
  "type": "string",
  "enum": [
    "Unknown",
    "Unused",
    "Under",
    "On target",
    "Over",
    "Critical",
    "Shutdown"
  ]
}

AWS > Account > Budget > Target

The budget target for this AWS Account, in US Dollars. The Budget > state is calculated
by comparing this target to the Current Spend and Forecast Spend.

Note: You must change this value from the default in order to enforce budget actions

URI
tmod:@turbot/aws#/policy/types/accountBudgetLimit
Category
Parent
Targets
Schema
{
  "type": "number",
  "default": -1
}

AWS > Account > CMDB

Configure whether to record and synchronize details for the AWS account into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/aws#/policy/types/accountCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > Account > Partition

The AWS partition for this account. By default, Guardrails will determine the
partition by parsing the AWS > Account > Guardrails IAM Role, though you can
override this behavior if required.

For standard AWS regions, the partition is aws. For resources in the AWS GovCloud
(US-West) region is aws-us-gov.

Note: The default (calculated) value is usually appropriate, however
you can override the Guardrails behavior by setting this policy (either
via calculated policy or immediate value). DON'T CHANGE THIS UNLESS
YOU KNOW WHAT YOU"RE DOING!

URI
tmod:@turbot/aws#/policy/types/partition
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  iamRole: policy(uri:\"#/policy/types/turbotIamRole\" resourceId:\"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{% if $.iamRole %}{{ $.iamRole.split(&#39;:&#39;)[1] }}{% else %}{% endif %}"
Schema

AWS > Account > Regions

A list of AWS regions in which resources are recorded.

The expected format is an array of regions names.

This policy is the default value for all AWS services' Regions policies.

URI
tmod:@turbot/aws#/policy/types/regionsDefault
Category
Parent
Targets
Schema
{
  "type": "array",
  "default": [
    "ap-northeast-1",
    "ap-northeast-2",
    "ap-northeast-3",
    "ap-south-1",
    "ap-southeast-1",
    "ap-southeast-2",
    "ca-central-1",
    "eu-central-1",
    "eu-north-1",
    "eu-west-1",
    "eu-west-2",
    "eu-west-3",
    "sa-east-1",
    "us-east-1",
    "us-east-2",
    "us-west-1",
    "us-west-2",
    "us-gov-east-1",
    "us-gov-west-1",
    "cn-north-1",
    "cn-northwest-1"
  ],
  "items": {
    "type": "string",
    "pattern": "^[a-z0-9-]+$"
  }
}

AWS > Account > Stack

Configure a custom stack on AWS, per the custom Stack > Source.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/accountStack
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Enforce: Configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Enforce: Configured"
  ],
  "default": "Skip"
}

AWS > Account > Stack > Secret Variables

Terraform secret variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/accountStackSecretVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Account > Stack > Source

The Terraform HCL source used to configure this stack.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/accountStackSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Account > Stack > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/accountStackTerraformVersion
Category
Parent
Targets
Default Template Input
"{\n  terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n"
Default Template
"{% if $.terraformVersion %}&quot;{{$.terraformVersion}}&quot;{% else %}&quot;&quot;{% endif %}"
Schema
{
  "type": "string"
}

AWS > Account > Stack > Variables

Terraform variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/accountStackVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Account > Tags Template [Default]

A template used to generate the keys and values for AWS
resources. By default, all AWS service Tags Template [Default]
policies will use this value.

URI
tmod:@turbot/aws#/policy/types/defaultTagsTemplate
Category
Parent
Targets
Default Template Input
"{\n  defaultTags: resource {\n      tags(resolution: RECOMMENDED)\n    }\n}\n"
Default Template
"{%- if $.defaultTags.tags | length == 0 %} [] {%- elif $.defaultTags.tags != undefined %}{{ $.defaultTags.tags | dump | safe }}{% endif %}"
Schema

AWS > Account > Trusted Accounts [Default]

A list of AWS Account IDs that users may share resources with.

The expected format is an array of account IDs.

This policy is the default value for all AWS services' Trusted Accounts policies.

<br />example:<br /> - &quot;013122550996&quot;<br /> - &quot;560741234067&quot;<br />

URI
tmod:@turbot/aws#/policy/types/trustedAccounts
Category
Parent
Targets
Schema
{
  "type": "array",
  "default": [
    "*"
  ],
  "items": {
    "type": "string",
    "pattern": "(?:^[0-9]{12}$|^\\*$)"
  }
}

AWS > Account > Trusted Identity Providers [Default]

A list of AWS federation principals that users may share resources with.

The expected format is an array of identity providers.

This policy is the default value for all AWS services' Trusted Identity Providers policies.

<br />example:<br /> - www.google.com<br /> - www.facebook.com<br />

URI
tmod:@turbot/aws#/policy/types/trustedIdentityProviders
Category
Parent
Targets
Schema
{
  "type": "array",
  "default": [
    "*"
  ],
  "items": {
    "type": "string"
  }
}

AWS > Account > Trusted Organizations [Default]

A list of AWS Organization IDs that users may share resources with.

The expected format is an array of organization IDs.

This policy is the default value for all AWS services' Trusted Organizations policies.

<br />example:<br /> - &quot;o-333333333&quot;<br /> - &quot;o-c3a5y4wd52&quot;<br />

URI
tmod:@turbot/aws#/policy/types/trustedOrganizations
Category
Parent
Targets
Schema
{
  "type": "array",
  "default": [
    "*"
  ],
  "items": {
    "type": "string",
    "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)"
  }
}

AWS > Account > Trusted Services [Default]

A list of AWS service principals that users may share resources with.

The expected format is an array of services.

This policy is the default value for all AWS services' Trusted Services policies.

<br />example:<br /> - sns.amazonaws.com<br /> - ec2.amazonaws.com<br />

URI
tmod:@turbot/aws#/policy/types/trustedServices
Category
Parent
Targets
Schema
{
  "type": "array",
  "default": [
    "*"
  ],
  "items": {
    "type": "string",
    "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)"
  }
}

AWS > Account > Turbot IAM Access Key ID

IAM access key ID used by Guardrails for access to the AWS account.

URI
tmod:@turbot/aws#/policy/types/turbotIamAccessKeyId
Category
Parent
Targets
Schema
{
  "type": "string",
  "pattern": "^A[KS]IA[A-Z0-9]{16}$"
}

AWS > Account > Turbot IAM Credential Type

IAM credential type that Guardrails will use for access to the AWS account. Guardrails recommends setting this policy value to 'Role'.

URI
tmod:@turbot/aws#/policy/types/turbotIamCredentialType
Category
Parent
Targets
Valid Value
[
  "Role",
  "Access key pair"
]
Schema
{
  "type": "string",
  "enum": [
    "Role",
    "Access key pair"
  ],
  "default": "Role"
}

AWS > Account > Turbot IAM Role

IAM Role used by Guardrails for access to the AWS account.

URI
tmod:@turbot/aws#/policy/types/turbotIamRole
Category
Parent
Targets
Schema
{
  "type": "string",
  "pattern": "^arn:aws(-us-gov|-cn)?:iam::[0-9]{12}:role(/[A-Za-z0-9.,+@=_-]+)*/[A-Za-z0-9+=,.@_-]{1,64}$"
}

AWS > Account > Turbot IAM Role > Assume Role Timeout

The timeout in minutes used when Guardrails assumes IAM roles in AWS accounts
for background tasks.

URI
tmod:@turbot/aws#/policy/types/turbotIamRoleAssumeRoleTimeout
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 15,
  "maximum": 60,
  "default": 60
}

AWS > Account > Turbot IAM Role > External ID

External ID for secure access to the Guardrails IAM Role

URI
tmod:@turbot/aws#/policy/types/turbotIamRoleExternalId
Category
Parent
Targets
Schema
{
  "type": "string",
  "minLength": 1
}

AWS > Account > Turbot IAM Role > External ID > Protection

When generating credentials for the AWS account, check if the role's external ID is in the protected format, e.g., turbot:123456789012345:foo, and if it is, check if the guardrails resource ID is for the workspace's guardrails resource. If the guardrails resource ID does not match, credentials will not be generated.

If set to Protected, the external ID must be in the protected format for credentials to be generated.

URI
tmod:@turbot/aws#/policy/types/turbotIamRoleExternalIdProtection
Category
Parent
Targets
Valid Value
[
  "Open",
  "Protected"
]
Schema
{
  "type": "string",
  "enum": [
    "Open",
    "Protected"
  ],
  "default": "Open"
}

AWS > Account > Turbot IAM Secret Access Key

IAM secret access key used by Guardrails for access to the AWS account.

URI
tmod:@turbot/aws#/policy/types/turbotIamSecretAccessKey
Category
Parent
Targets
Schema
{
  "type": "string",
  "pattern": "^[A-z0-9/+=]{40}$"
}

AWS > Region > Discovery

URI
tmod:@turbot/aws#/policy/types/discovery
Category
Parent
Targets

AWS > Region > Discovery > Connection Region

Configure the connection region which would be used to discover regions in an AWS > Account.

URI
tmod:@turbot/aws#/policy/types/connectionRegion
Category
Parent
Targets
Default Template Input
"{\n  partition: policy(uri:\"tmod:@turbot/aws#/policy/types/partition\")\n}\n"
Default Template
"{% if $.partition === &quot;aws-cn&quot; %}&quot;cn-north-1&quot;{% elif $.partition === &quot;aws-us-gov&quot; %}&quot;us-gov-west-1&quot;{% else %}&quot;us-east-1&quot;{% endif %}"
Schema
{
  "type": "string",
  "pattern": "^[a-z0-9-]+$"
}

AWS > Region > Logging Bucket [Default]

Specifies an S3 bucket to be used as the default logging
destination in this region.

This policy is referenced by other policy to provide a single
configurable logging destination across services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketDefault
Category
Parent
Targets
Default Template Input
[
  "{\n  region {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  bucketName: policy(uri:\"#/policy/types/loggingBucketName\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.bucketName }}"
Schema
{
  "type": "string"
}

AWS > Region > Stack

Configure a custom stack on AWS, per the custom Stack > Source.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/regionStack
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Enforce: Configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Enforce: Configured"
  ],
  "default": "Skip"
}

AWS > Region > Stack > Secret Variables

Terraform secret variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/regionStackSecretVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Region > Stack > Source

The Terraform HCL source used to configure this stack.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/regionStackSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Region > Stack > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/regionStackTerraformVersion
Category
Parent
Targets
Default Template Input
"{\n  terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n"
Default Template
"{% if $.terraformVersion %}&quot;{{$.terraformVersion}}&quot;{% else %}&quot;&quot;{% endif %}"
Schema
{
  "type": "string"
}

AWS > Region > Stack > Variables

Terraform variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/regionStackVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Turbot

URI
tmod:@turbot/aws#/policy/types/turbot
Category
Parent
Targets

AWS > Turbot > Audit Trail

Configure the Turbot CloudTrail stack.

The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.

URI
tmod:@turbot/aws#/policy/types/auditTrail
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Check: Not configured",
  "Enforce: Configured",
  "Enforce: Not configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Check: Not configured",
    "Enforce: Configured",
    "Enforce: Not configured"
  ],
  "default": "Skip"
}

AWS > Turbot > Audit Trail > CloudTrail

Placeholder

URI
tmod:@turbot/aws#/policy/types/auditTrailCloudTrail
Category
Parent
Targets

AWS > Turbot > Audit Trail > CloudTrail > Trail

Placeholder

URI
tmod:@turbot/aws#/policy/types/auditTrailTrail
Category
Parent
Targets

AWS > Turbot > Audit Trail > CloudTrail > Trail > CloudWatch Role

The name of an IAM role that CloudTrail will assume to write logs to CloudWatch logs.

If CloudWatch Log forwarding is enabled, you must also specify a role that CloudTrail
can assume to write the logs. This role must have logs:CreateLogStream and logs:PutLogEvents
for the CloudWatch Log Group, and must allow the CloudTrail Service (cloudtrail.amazonaws.com)
the ability to assume the role

The role must already exist - the stack wont create it

URI
tmod:@turbot/aws#/policy/types/trailCloudWatchRole
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": ""
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Enabled

The desired state of the CloudTrail. When disabled, a CloudTrail does not log
any events

The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.

URI
tmod:@turbot/aws#/policy/types/trailEnabled
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key

The KMS key ID that encrypts the logs delivered by CloudTrail. The value is a
fully specified ARN to a KMS key in the format:
arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012

If a key is specified in this policy, SSE-KMS encryption will be enabled with this key. If the Encryption Key policy is blank, the default (SSE-S3) encryption will be used.

The key will not be created in this stack - it must already exist and CloudTrail
must have the correct permissions to use the key. Guardrails will not modify the key policy.

URI
tmod:@turbot/aws#/policy/types/trailEncryptionKey
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": ""
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Event Selectors

An event selector that specifies which events to log in the Guardrails Trail. If
no event selector is specified, the trail will log all read and write
management events, and no data events

The Event Selectors policy allows you to specify up to 5 CloudTrail event selectors
to further specify the management and S3 and/or lambda data event settings for the trail.

By default, trails created without specific event selectors will be configured to log
all read and write management events, and no data events

The format of this policy is the native terraform hcl for event selectors

URI
tmod:@turbot/aws#/policy/types/trailEventSelectors
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  },
  "default": ""
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Global Region

The region in that will host the Guardrails Trail when configured to use a
multi-region trail.

The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.

URI
tmod:@turbot/aws#/policy/types/trailGlobalRegion
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  partitionPolicy: policy(uri:\"#/policy/types/partition\" resourceId: \"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{% if $.partitionPolicy == &#39;aws&#39; %}us-east-1{% else %}us-gov-west-1{% endif %}"
Schema

AWS > Turbot > Audit Trail > CloudTrail > Trail > Include Global Service Events

Determine whether or not events from global services (such as IAM, STS, CloudFront, and Route 53) are logged to the Guardrails trail.

If you have multiple single region trails, consider configuring your trails so that global service events are delivered in only one of the trails.

URI
tmod:@turbot/aws#/policy/types/trailIncludeGlobalServiceEvents
Category
Parent
Targets
Valid Value
[
  "Enabled: Include Global Service Events",
  "Disabled: Do not include Global Service Events"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled: Include Global Service Events",
    "Disabled: Do not include Global Service Events"
  ],
  "default": "Enabled: Include Global Service Events"
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Log File Validation

Determine whether or not log file integrity validation is enabled for
the Guardrails trail.

Enable CloudTrail log file integrity validation to determine whether a log file was
modified, deleted, or unchanged after CloudTrail delivered it.

URI
tmod:@turbot/aws#/policy/types/trailLogFileValidation
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Name

A policy that displays the calculated Guardrails CloudTrail name for
this region.

This stack configures a CloudTrail for use of auditing API calls.

URI
tmod:@turbot/aws#/policy/types/trailName
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Name Prefix

A string to be used as a prefix to the Guardrails generated name for the Guardrails
managed CloudTrail. The name will be pre-pended with this value.

The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.

Note that this policy is ignored if the AWS > Turbot > Audit Trail > CloudTrail > Trail > Name policy has a policy setting defined explicitly.

URI
tmod:@turbot/aws#/policy/types/auditTrailTrailNamePrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "turbot-",
  "example": "turbot-"
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket

The name of an S3 bucket to which the Guardrails Trail will be delivered.

CloudTrail must write to S3, thus this policy is required. The S3 bucket
must already exist (the stack will not create it) and the CloudTrail
service must be allowed write access. The bucket can reside in any
region of any account.

URI
tmod:@turbot/aws#/policy/types/trailBucket
Category
Parent
Targets
Default Template Input
[
  "{\n  region {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  bucketName: policy(uri:\"#/policy/types/loggingBucketDefault\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.bucketName }}"
Schema
{
  "type": "string"
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Key Prefix

An S3 key prefix to which the Guardrails Trail will be written.

URI
tmod:@turbot/aws#/policy/types/trailKeyPrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": ""
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > SNS Topic

An SNS Topic ARN to which to send notifications when CloudTrail publishes logs. If no topic is specified (the SNS Topic policy is blank), then SNS forwarding
will be disabled for the Guardrails Trail.

Note that the SNS topic will not be created in this stack - it must already exist.
The SNS topic policy must allow CloudTrail to publish to the topic - The stack will
not update the policy

URI
tmod:@turbot/aws#/policy/types/trailSnsTopic
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "example": "arn:aws:sns:us-east-2:123456789012:MyTopic"
}

AWS > Turbot > Audit Trail > CloudTrail > Trail > Tags

A list of key:value pairs to add as AWS tags onto the Guardrails managed
CloudTrail resource.

The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.

URI
tmod:@turbot/aws#/policy/types/trailTags
Category
Parent
Targets
Schema

AWS > Turbot > Audit Trail > CloudTrail > Trail > Type

The type of CloudTrail deployment to use with Guardrails Audit Trail.

CloudTrail has options for multi-region or single region trails, as well as a new option for
Organization trails (for customers that leverage AWS Organizations). This provides
flexibility in implementation (as well as backwards compatibility - neither multi-region nor
organization trails were options when the service launched).

Note that Guardrails must manage your Organization Master account in order to use an Organization
trail - this can only be configured from the Organization master account.

URI
tmod:@turbot/aws#/policy/types/trailType
Category
Parent
Targets
Valid Value
[
  "A trail in each region of each account",
  "A multi-region trail in the `Trail > Global Region` in each account"
]
Schema
{
  "type": "string",
  "enum": [
    "A trail in each region of each account",
    "A multi-region trail in the `Trail > Global Region` in each account"
  ],
  "default": "A multi-region trail in the `Trail > Global Region` in each account"
}

AWS > Turbot > Audit Trail > Source

The Terraform source used to configure the Guardrails Audit Trail stack.

The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to
record an audit trail of API calls to your AWS accounts.

This policy is read-only, as the Audit Trail source is generated by Guardrails

URI
tmod:@turbot/aws#/policy/types/auditTrailSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Turbot > Audit Trail > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/auditTrailTerraformVersion
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > Turbot > Event Handlers

Configure the Guardrails AWS Event Handlers stack. This stack configures the Eventbridge and SNS resources required for Guardrails real-time event routing. For more information refer to the AWS Event Handler documentation

Notes:
- The AWS Event Handler control ignores the Turbot > Change Window policy.
- For proper management of AWS Event Handlers, the aws, aws-iam, aws-kms, aws-events and aws-sns mods must be installed. Additional information can be found in the required mods section of the AWS Event Handler docs.

URI
tmod:@turbot/aws#/policy/types/eventHandlers
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Check: Not configured",
  "Enforce: Configured",
  "Enforce: Not configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Check: Not configured",
    "Enforce: Configured",
    "Enforce: Not configured"
  ],
  "default": "Skip"
}

AWS > Turbot > Event Handlers > Events

URI
tmod:@turbot/aws#/policy/types/eventHandlersEvents
Category
Parent
Targets

AWS > Turbot > Event Handlers > Events > Rules

URI
tmod:@turbot/aws#/policy/types/eventHandlersEventsRules
Category
Parent
Targets

AWS > Turbot > Event Handlers > Events > Rules > Account Filter

Configure whether to add the account filter to the EventBridge Rules created via the AWS > Turbot > Event Handlers stack. If Enabled, the EventBridge rules will raise events only for the account where the Event Handlers are deployed.

URI
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesAccountFilter
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Disabled"
}

AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns

The cloudwatch event pattern use by the AWS S3 module to specify which
events to forward to the Guardrails Event Handlers.

This a read-only policy used internally by Guardrails.

URI
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesCustomEventPatterns
Category
Parent
Targets
Schema

AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > Billing Console

The CloudWatch Events event pattern used by the AWS module to specify
which events to forward to the Guardrails Event Handlers.

URI
tmod:@turbot/aws#/policy/types/billingconsoleCustomEventPatterns
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "object",
    "properties": {
      "type": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string"
          }
        }
      },
      "value": {
        "type": "object",
        "properties": {
          "source": {
            "type": "array",
            "items": {
              "type": "string"
            }
          },
          "detail-type": {
            "type": "array",
            "items": {
              "type": "string"
            }
          },
          "detail": {
            "type": "object",
            "property": {
              "eventName": {
                "type": "array"
              }
            },
            "required": [
              "eventName"
            ]
          }
        },
        "required": [
          "source"
        ]
      }
    },
    "required": [
      "type"
    ]
  },
  "default": [
    {
      "type": {
        "title": "Billing Console",
        "name": "billingconsole"
      },
      "value": {
        "source": [
          "aws.billingconsole"
        ],
        "detail-type": [
          "AWS Console Action via CloudTrail"
        ],
        "detail": {
          "eventName": [
            "DisableRegion",
            "EnableRegion",
            "SetAdditionalContacts"
          ]
        }
      }
    }
  ]
}

AWS > Turbot > Event Handlers > Events > Rules > Event Sources

The Terraform source used to configure the Guardrails Event Handlers stack.

This stack configures AWS CloudWatch Events rules and targets, and SNS
topics and subscriptions to enable real-time event handling in an AWS
region.

This policy is read-only, as source is generated by Guardrails.

URI
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesEventSources
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > Turbot > Event Handlers > Events > Rules > Name Prefix

A string to be used as a prefix to the guardrails generated name on the
Guardrails Event Handlers Cloudwatch Events rules. The names will be
pre-pended with this value.

URI
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesNamePrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "turbot_",
  "example": "turbot_"
}

AWS > Turbot > Event Handlers > Events > Rules > Tags

A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers Events rules.

URI
tmod:@turbot/aws#/policy/types/eventHandlersEventsRulesTags
Category
Parent
Targets
Schema

AWS > Turbot > Event Handlers > SNS

URI
tmod:@turbot/aws#/policy/types/eventHandlersSns
Category
Parent
Targets

AWS > Turbot > Event Handlers > SNS > Topic

URI
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopic
Category
Parent
Targets

AWS > Turbot > Event Handlers > SNS > Topic > Customer Managed Key

A Customer Managed KMS key used for server side encryption of the SNS
topic used created for the AWS Event Handlers.

If no key is specified, server side encryption will not be enabled.

If the specified key does not exist in AWS or is improperly specified in the policy,
the SNS topic will silently stop working and halt event handling for the
region. Resolve by picking an existing key or removing this policy.

Note that the key will not be created in this stack - it must already
exist. The key policy must grant the kms:GenerateDataKey* and kms:Decrypt
permissions to Amazon CloudWatch Events (events.amazonaws.com). The Guardrails
user must also have permissions to decrypt messages with this CMK.

See https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html

URI
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": ""
}

AWS > Turbot > Event Handlers > SNS > Topic > Name Prefix

A string to be used as a prefix to the guardrails generated name on the
Guardrails Event Handlers SNS topic. The name will be
pre-pended with this value.

URI
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicNamePrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "turbot_",
  "example": "turbot_"
}

AWS > Turbot > Event Handlers > SNS > Topic > Tags

A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers SNS topic.

URI
tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicTags
Category
Parent
Targets
Schema

AWS > Turbot > Event Handlers > Source

The Terraform source used to configure the Event Handlers stack.
This policy is read-only, as the Event Handlers source is generated by Guardrails

URI
tmod:@turbot/aws#/policy/types/eventHandlersSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "json"
  }
}

AWS > Turbot > Event Handlers > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/eventHandlersTerraformVersion
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > Turbot > Event Handlers [Global]

Configure the Guardrails AWS Event Handlers [Global] stack. This stack configures the Eventbridge and SNS resources required for Guardrails real-time event routing.

Notes:
- The AWS Event Handler control ignores the Turbot > Change Window policy.
- For proper management of AWS Event Handlers [Global], the aws, aws-iam, aws-kms, aws-events and aws-sns mods must be installed. Additional information can be found in the required mods section of the AWS Event Handler docs.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobal
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Check: Not configured",
  "Enforce: Configured",
  "Enforce: Not configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Check: Not configured",
    "Enforce: Configured",
    "Enforce: Not configured"
  ],
  "default": "Skip"
}

AWS > Turbot > Event Handlers [Global] > Events

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEvents
Category
Parent
Targets

AWS > Turbot > Event Handlers [Global] > Events > Rules

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsRules
Category
Parent
Targets

AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix

A string to be used as a prefix to the Guardrails generated name on the
Guardrails Event Handlers [Global] Cloudwatch Events rules. The names will be
pre-pended with this value.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsRulesNamePrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "turbot_",
  "example": "turbot_"
}

AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags

A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers [Global] Events rules.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsRulesTags
Category
Parent
Targets
Schema

AWS > Turbot > Event Handlers [Global] > Events > Target

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsTarget
Category
Parent
Targets

AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN

The IAM Role used to forward events from the non-primary regions to the AWS > Turbot > Event Handlers [Global] > Primary Region. By default, this policy is set via the AWS > Turbot > Service Roles > Event Handlers [Global] policy, but can be overwritten if needed.
The below permissions are needed at minimum to allow the Role to forward events to the Primary Region correctly.
<br />{<br /> &quot;Statement&quot;: [<br /> {<br /> &quot;Action&quot;: [<br /> &quot;events:PutEvents&quot;<br /> ],<br /> &quot;Effect&quot;: &quot;Allow&quot;,<br /> &quot;Resource&quot;: &quot;arn:&lt;partition&gt;:events:&lt;region&gt;:&lt;accountId&gt;:event-bus/default&quot;<br /> }<br /> ],<br /> &quot;Version&quot;: &quot;2012-10-17&quot;<br />}<br />

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalEventsTargetIamRoleArn
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > Turbot > Event Handlers [Global] > Primary Region

The primary region for the AWS > Turbot > Event Handlers [Global] stack. All EventBridge and SNS resources required for real-time event routing will be deployed in this region.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalPrimaryRegion
Category
Parent
Targets
Default Template Input
"{\n  partition: policy(uri:\"tmod:@turbot/aws#/policy/types/partition\")\n}\n"
Default Template
"{% if $.partition === &quot;aws-cn&quot; %}&quot;cn-north-1&quot;{% elif $.partition === &quot;aws-us-gov&quot; %}&quot;us-gov-west-1&quot;{% else %}&quot;us-east-1&quot;{% endif %}"
Schema
{
  "type": "string"
}

AWS > Turbot > Event Handlers [Global] > SNS

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSns
Category
Parent
Targets

AWS > Turbot > Event Handlers [Global] > SNS > Topic

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopic
Category
Parent
Targets

AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key

A Customer Managed KMS key used for server side encryption of the SNS
topic used created for the AWS Event Handlers [Global].

If no key is specified, server side encryption will not be enabled.

If the specified key does not exist in AWS or is improperly specified in the policy,
the SNS topic will silently stop working and halt event handling for the
region. Resolve by picking an existing key or removing this policy.

Note that the key will not be created in this stack - it must already
exist. The key policy must grant the kms:GenerateDataKey* and kms:Decrypt
permissions to Amazon CloudWatch Events (events.amazonaws.com). The Guardrails
user must also have permissions to decrypt messages with this CMK.

See https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopicCustomerManagedKey
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": ""
}

AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix

A string to be used as a prefix to the Guardrails generated name on the
Guardrails Event Handlers [Global] SNS topic. The name will be
pre-pended with this value.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopicNamePrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "turbot_",
  "example": "turbot_"
}

AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags

A list of key:value pairs to add as AWS tags on the Guardrails Event Handlers [Global] SNS topic.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSnsTopicTags
Category
Parent
Targets
Schema

AWS > Turbot > Event Handlers [Global] > Source

The Terraform source used to configure the Event Handlers [Global] stack.
This policy is read-only, as the Event Handlers [Global] source is generated by Guardrails.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "json"
  }
}

AWS > Turbot > Event Handlers [Global] > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/eventHandlersGlobalTerraformVersion
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > Turbot > Event Poller

Configure the AWS Event Poller. When set to Enabled, the poller will run at the interval specified to retrieve the latest events and forward them to the Guardrails Router.

Note: The Event Poller and Guardrails Event Handler are different mechanisms for sending information to Guardrails. You should enable one or the other, but not both.

URI
tmod:@turbot/aws#/policy/types/eventPoller
Category
Parent
Targets
Default Template Input
"{\n  eventHandlersValue: policy(uri: \"tmod:@turbot/aws#/policy/types/eventHandlers\")\n  globalEventHandlersValue: policy(uri: \"tmod:@turbot/aws#/policy/types/eventHandlersGlobal\")\n}\n"
Default Template
"{% if $.eventHandlersValue == &#39;Enforce: Configured&#39; or $.globalEventHandlersValue == &#39;Enforce: Configured&#39; %}Disabled{% else %}Enabled{% endif %}&#92;n"
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ]
}

AWS > Turbot > Event Poller > Excluded Events

A list of events that will be filtered out while processing events that are captured via AWS > Turbot > Event Poller.

Example:
<br /> - support:RefreshTrustedAdvisorCheck<br /> - ssm:UpdateInstanceInformation<br /> - ssm:Update*<br />

URI
tmod:@turbot/aws#/policy/types/eventPollerExcludedEvents
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "pattern": "^[a-zA-Z0-9]+[:][a-zA-Z0-9*?]+$"
  },
  "default": [
    "support:RefreshTrustedAdvisorCheck"
  ]
}

AWS > Turbot > Event Poller > Interval

The polling interval. This policy determines how often
the event poller will run.

URI
tmod:@turbot/aws#/policy/types/eventPollerInterval
Category
Parent
Targets
Valid Value
[
  "Every 1 minute",
  "Every 2 minutes",
  "Every 3 minutes",
  "Every 4 minutes",
  "Every 5 minutes",
  "Every 6 minutes",
  "Every 7 minutes",
  "Every 8 minutes",
  "Every 9 minutes",
  "Every 10 minutes"
]
Schema
{
  "type": "string",
  "enum": [
    "Every 1 minute",
    "Every 2 minutes",
    "Every 3 minutes",
    "Every 4 minutes",
    "Every 5 minutes",
    "Every 6 minutes",
    "Every 7 minutes",
    "Every 8 minutes",
    "Every 9 minutes",
    "Every 10 minutes"
  ],
  "default": "Every 2 minutes"
}

AWS > Turbot > Event Poller > Window

The polling window, in minutes. This policies determines the oldest events the event poller will retrieve. For example, setting the window to '15 minutes' will cause the poller to retrieve all events from the previous 15 minutes every time it runs.

The Window must be greater than the Interval, and it is recommended to be at least twice the Interval. For example, if the Interval is 'Every 5 Minutes', the Window should be at least '10 Minutes'.

URI
tmod:@turbot/aws#/policy/types/eventPollerWindow
Category
Parent
Targets
Valid Value
[
  "15 minutes",
  "16 minutes",
  "17 minutes",
  "18 minutes",
  "19 minutes",
  "20 minutes",
  "21 minutes",
  "22 minutes",
  "23 minutes",
  "24 minutes",
  "25 minutes",
  "26 minutes",
  "27 minutes",
  "28 minutes",
  "29 minutes",
  "30 minutes"
]
Schema
{
  "type": "string",
  "enum": [
    "15 minutes",
    "16 minutes",
    "17 minutes",
    "18 minutes",
    "19 minutes",
    "20 minutes",
    "21 minutes",
    "22 minutes",
    "23 minutes",
    "24 minutes",
    "25 minutes",
    "26 minutes",
    "27 minutes",
    "28 minutes",
    "29 minutes",
    "30 minutes"
  ],
  "default": "15 minutes"
}

AWS > Turbot > Logging

URI
tmod:@turbot/aws#/policy/types/logging
Category
Parent
Targets

AWS > Turbot > Logging > Bucket

Configure the Guardrails Logging Bucket stack.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucket
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Check: Not configured",
  "Enforce: Configured",
  "Enforce: Not configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Check: Not configured",
    "Enforce: Configured",
    "Enforce: Not configured"
  ],
  "default": "Skip"
}

AWS > Turbot > Logging > Bucket > Access Logging

Configure server access logging on the AWS S3 Bucket.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketAccessLogging
Category
Parent
Targets
Valid Value
[
  "Disabled",
  "Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Disabled",
    "Enabled"
  ],
  "example": [
    "Disabled"
  ],
  "default": "Disabled"
}

AWS > Turbot > Logging > Bucket > Access Logging > Bucket

Configure server access logging on the AWS S3 Bucket.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketAccessLoggingBucket
Category
Parent
Targets
Schema
{
  "type": "string",
  "pattern": "^[a-zA-Z0-9._-]{1,255}$",
  "default": ""
}

AWS > Turbot > Logging > Bucket > Access Logging > Bucket > Key Prefix

Configure server access logging on the AWS S3 Bucket.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketAccessLoggingBucketKeyPrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "pattern": "^.{1,200}$",
  "default": ""
}

AWS > Turbot > Logging > Bucket > Default Encryption

Configure default encryption on the AWS S3 Bucket.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketDefaultEncryption
Category
Parent
Targets
Valid Value
[
  "None",
  "AWS SSE"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "AWS SSE"
  ],
  "example": [
    "AWS SSE"
  ],
  "default": "AWS SSE"
}

AWS > Turbot > Logging > Bucket > Encryption in Transit

Configure Encryption in Transit on the AWS S3 Bucket.

This stack configures an AWS S3 Bucket for use as a destination for logs from other AWS services.
If Encryption in Transit is set to Enabled, the below statement will be applied to the S3 Bucket.
<br />{<br /> Sid: &quot;MustBeEncryptedInTransit&quot;,<br /> Effect: &quot;Deny&quot;,<br /> Principal: &quot;*&quot;,<br /> Action: &quot;s3:*&quot;,<br /> Resource: [&#39;arn:${partition}:s3:::${bucketName}&#39;, &#39;arn:${partition}:s3:::${bucketName}/*&#39;],<br /> Condition: {<br /> Bool: {<br /> &quot;aws:SecureTransport&quot;: &quot;false&quot;<br /> }<br /> }<br />}<br />

URI
tmod:@turbot/aws#/policy/types/loggingBucketEncryptionInTransit
Category
Parent
Targets
Valid Value
[
  "Disabled",
  "Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Disabled",
    "Enabled"
  ],
  "example": [
    "Disabled"
  ],
  "default": "Disabled"
}

AWS > Turbot > Logging > Bucket > Name

A read-only policy that displays the calculated Guardrails logging bucket name
for this region.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketName
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > Turbot > Logging > Bucket > Name > Prefix

A string to be used as a prefix to the guardrails generated name
on the Guardrails logging bucket. The name will be pre-pended
with this value.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketNamePrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "turbot-",
  "example": "turbot-"
}

AWS > Turbot > Logging > Bucket > Regions

A list of regions in which to create Guardrails logging buckets.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketRegions
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  approvedRegionsPolicy: policy(uri: \"#/policy/types/approvedRegionsDefault\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{% for item in $.approvedRegionsPolicy %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > Turbot > Logging > Bucket > Source

The Terraform source used to configure the Guardrails Logging Bucket stack.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

This policy is read-only, as source is generated by Guardrails.

URI
tmod:@turbot/aws#/policy/types/loggingBucketSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "json"
  }
}

AWS > Turbot > Logging > Bucket > Tags

A list of key:value pairs to add as AWS tags on the Guardrails
logging bucket.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketTags
Category
Parent
Targets
Schema

AWS > Turbot > Logging > Bucket > Versioning

Configure versioning on the AWS S3 Bucket.

This stack configures an AWS S3 Bucket for use as a destination
for logs from other AWS services.

URI
tmod:@turbot/aws#/policy/types/loggingBucketVersioning
Category
Parent
Targets
Valid Value
[
  "Disabled",
  "Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Disabled",
    "Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Logging > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/loggingBucketTerraformVersion
Category
Parent
Targets
Schema
{
  "type": "string"
}

AWS > Turbot > Service Roles

Configure standard Guardrails Service Roles for services such as AWS, VPC
Flow logs, etc..

URI
tmod:@turbot/aws#/policy/types/serviceRoles
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Check: Not configured",
  "Enforce: Configured",
  "Enforce: Not configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Check: Not configured",
    "Enforce: Configured",
    "Enforce: Not configured"
  ],
  "default": "Skip"
}

AWS > Turbot > Service Roles > Configuration Recording

Configure the standard Guardrails Service Role for the AWS Config service.

URI
tmod:@turbot/aws#/policy/types/serviceRolesConfigurationRecording
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Service Roles > Configuration Recording > Name

The resource name for standard Guardrails IAM Config Service Role.
This policy is read-only, and generated by Guardrails based on the
Service Roles > Name Prefix policy.

URI
tmod:@turbot/aws#/policy/types/serviceRolesConfigurationRecordingName
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.roleNamePrefix }}config"
Schema
{
  "type": "string"
}

AWS > Turbot > Service Roles > Default EC2 Instance

Configure the standard Guardrails Service Role for use with AWS EC2 instances.

URI
tmod:@turbot/aws#/policy/types/serviceRolesDefaultEc2Instance
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Service Roles > Default EC2 Instance > Name

The resource name for standard Guardrails IAM default EC2 instance Service Role.

URI
tmod:@turbot/aws#/policy/types/serviceRolesDefaultEc2InstanceName
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.roleNamePrefix }}default_ec2_instance_role"
Schema
{
  "type": "string"
}

AWS > Turbot > Service Roles > Default EC2 Instance > SSM Permissions

Configure the standard Guardrails Service Role for the AWS default EC2 instance service with SSM Permissions.

URI
tmod:@turbot/aws#/policy/types/serviceRolesDefaultEc2InstanceSsmPermissions
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Service Roles > Event Handlers [Global]

Configure the standard Guardrails Service Role for the AWS > Turbot > Event Handlers [Global] stack.

URI
tmod:@turbot/aws#/policy/types/serviceRolesEventHandlersGlobal
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Disabled"
}

AWS > Turbot > Service Roles > Event Handlers [Global] > Name

The resource name for standard Guardrails AWS > Turbot > Service Roles > Event Handlers [Global] role.
This policy is read-only, and generated by Guardrails based on the Service Roles > Name Prefix policy.

URI
tmod:@turbot/aws#/policy/types/serviceRolesEventHandlersGlobalName
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.roleNamePrefix }}aws_api_events_global"
Schema
{
  "type": "string"
}

AWS > Turbot > Service Roles > Flow Logging

Configure the standard Guardrails Service Role for the AWS VPC Flow Logging service.

URI
tmod:@turbot/aws#/policy/types/serviceRolesFlowLogging
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Service Roles > Flow Logging > Name

The resource name for standard Guardrails IAM VPC Flow Logging Service Role.

URI
tmod:@turbot/aws#/policy/types/serviceRolesFlowLoggingName
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  roleNamePrefix: policy(uri:\"aws#/policy/types/serviceRolesNamePrefix\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.roleNamePrefix }}vpc_flow_logging"
Schema
{
  "type": "string"
}

AWS > Turbot > Service Roles > Name Path

The value to be used in resource path names for standard Guardrails Service Roles.
The path should start and end with a slash (/)

URI
tmod:@turbot/aws#/policy/types/serviceRolesNamePath
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "/turbot/"
}

AWS > Turbot > Service Roles > Name Prefix

A prefix to be used in resource names for standard Guardrails IAM Service Roles.

URI
tmod:@turbot/aws#/policy/types/serviceRolesNamePrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "turbot_"
}

AWS > Turbot > Service Roles > SSM Notifications

Configure the standard Guardrails Service Role for the AWS SSM Notifications.

URI
tmod:@turbot/aws#/policy/types/serviceRolesSsmNotifications
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > Turbot > Service Roles > SSM Notifications > Name

A value to add as SSM Notifications name.

URI
tmod:@turbot/aws#/policy/types/serviceRolesSsmNotificationsName
Category
Parent
Targets
Default Template Input
"{\n  item: account {\n      turbot{\n        id\n      }\n    }\n  roleNamePrefix: policy(uri: \"#/policy/types/serviceRolesNamePrefix\")\n}\n"
Default Template
"&#39;{{ $.roleNamePrefix }}ssm_notifications_role&#39;"
Schema
{
  "type": "string"
}

AWS > Turbot > Service Roles > Source

The Terraform source used to configure the standard Guardrails Service Roles.
This policy is read-only, as the stack source is generated by Guardrails

URI
tmod:@turbot/aws#/policy/types/serviceRolesSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > Turbot > Service Roles > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws#/policy/types/serviceRolesTerraformVersion
Category
Parent
Targets
Schema
{
  "type": "string"
}