Control types for @turbot/azure-iam

• Azure > IAM > Primary Object ID
• Azure > IAM > Role Assignment > Active
• Azure > IAM > Role Assignment > Approved
• Azure > IAM > Role Assignment > CMDB
• Azure > IAM > Role Assignment > Configured
• Azure > IAM > Role Assignment > Discovery
• Azure > IAM > Role Definition > Active
• Azure > IAM > Role Definition > Approved
• Azure > IAM > Role Definition > CMDB
• Azure > IAM > Role Definition > Configured
• Azure > IAM > Role Definition > Discovery
• Azure > Turbot > IAM

Azure > IAM > Primary Object ID

This control fetches the object IDs for primary login names, per Azure > IAM > Login Names policy, to be used in the Azure > Turbot > Permissions > Source policy.

Azure > IAM > Role Assignment > Active

Take an action when an Azure IAM role assignment is not active based on the
Azure > IAM > Role Assignment > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Assignment > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

Azure > IAM > Role Assignment > Approved

Take an action when an Azure IAM role assignment is not approved based on Azure > IAM > Role Assignment > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

Azure > IAM > Role Assignment > CMDB

Record and synchronize details for the Azure IAM role assignment into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

Azure > IAM > Role Assignment > Configured

Maintain Azure > IAM > Role Assignment configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

Azure > IAM > Role Assignment > Discovery

Discover all Azure IAM role assignment resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Azure > IAM > Role Definition > Active

Take an action when an Azure IAM role definition is not active based on the
Azure > IAM > Role Definition > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Definition > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

Azure > IAM > Role Definition > Approved

Take an action when an Azure IAM role definition is not approved based on Azure > IAM > Role Definition > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

Azure > IAM > Role Definition > CMDB

Record and synchronize details for the Azure IAM role definition into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

Azure > IAM > Role Definition > Configured

Maintain Azure > IAM > Role Definition configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

Azure > IAM > Role Definition > Discovery

Discover all Azure IAM role definition resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Azure > Turbot > IAM

Maintain configuration of IAM resources.