Control types for @turbot/azure-iam
- Azure > IAM > Primary Object ID
- Azure > IAM > Role Assignment > Active
- Azure > IAM > Role Assignment > Approved
- Azure > IAM > Role Assignment > CMDB
- Azure > IAM > Role Assignment > Configured
- Azure > IAM > Role Assignment > Discovery
- Azure > IAM > Role Definition > Active
- Azure > IAM > Role Definition > Approved
- Azure > IAM > Role Definition > CMDB
- Azure > IAM > Role Definition > Configured
- Azure > IAM > Role Definition > Discovery
- Azure > Turbot > IAM
Azure > IAM > Primary Object ID
This control fetches the object IDs for primary login names, per Azure > IAM > Login Names policy, to be used in the Azure > Turbot > Permissions > Source policy.
tmod:@turbot/azure-iam#/control/types/loginNamesPrimaryObjectId
Azure > IAM > Role Assignment > Active
Take an action when an Azure IAM role assignment is not active based on theAzure > IAM > Role Assignment > Active > * policies
.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Assignment > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-iam#/control/types/roleAssignmentActive
Azure > IAM > Role Assignment > Approved
Take an action when an Azure IAM role assignment is not approved based on Azure > IAM > Role Assignment > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-iam#/control/types/roleAssignmentApproved
Azure > IAM > Role Assignment > CMDB
Record and synchronize details for the Azure IAM role assignment into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
tmod:@turbot/azure-iam#/control/types/roleAssignmentCmdb
Azure > IAM > Role Assignment > Configured
Maintain Azure > IAM > Role Assignment configuration.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/azure-iam#/control/types/roleAssignmentConfigured
Azure > IAM > Role Assignment > Discovery
Discover all Azure IAM role assignment resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/azure-iam#/control/types/roleAssignmentDiscovery
Azure > IAM > Role Definition > Active
Take an action when an Azure IAM role definition is not active based on theAzure > IAM > Role Definition > Active > * policies
.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Definition > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-iam#/control/types/roleDefinitionActive
Azure > IAM > Role Definition > Approved
Take an action when an Azure IAM role definition is not approved based on Azure > IAM > Role Definition > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-iam#/control/types/roleDefinitionApproved
Azure > IAM > Role Definition > CMDB
Record and synchronize details for the Azure IAM role definition into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
tmod:@turbot/azure-iam#/control/types/roleDefinitionCmdb
Azure > IAM > Role Definition > Configured
Maintain Azure > IAM > Role Definition configuration.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/azure-iam#/control/types/roleDefinitionConfigured
Azure > IAM > Role Definition > Discovery
Discover all Azure IAM role definition resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/azure-iam#/control/types/roleDefinitionDiscovery
Azure > Turbot > IAM
Maintain configuration of IAM resources.
tmod:@turbot/azure-iam#/control/types/iamTurbot