Policies

Filtering Policy Settings

You can use the policySettings filter to search and filter Policy Setting in the Turbot Guardrails Console or GraphQL queries.

The policySettings filter supports the standard sort and limit keywords
You can search Standard Guardrails metadata properties such as timestamp, updateTimestamp, etc. Note that you cannot search actorIdentityId or title in policySettings queries.
Full Text Search will search/filter both the Policy Setting and the Resource

You can use Tag Filters. Note that the tag filters are Resource filters - they filter Policy Settings on resources with these tags.
You can filter the scope with Hierarchy Scope Filters. Note that these are implicitly set when filtering the policies page in the Guardrails Console
You can use validToTimestamp to filter py policy expiration
is:orphan will filter to settings that are orphaned by a higher level required setting
is:exception will filter to settings that are an exception to a higher level required setting

Aim	Filter text
Settings that are orphaned by a higher level required setting	`is:orphan`
Settings that are orphaned by a higher level required setting	`is:exception`
Settings expiring in the next week, by expiration date descending	`validToTimestamp:<T+7d,>now sort:validToTimestamp`
Settings created/updated in the last day, newest first	`timestamp:>T-1d sort:-timestamp`
Settings on a specific resources	`resource:162675146433353 level:self`
Settings on a specific resource and below	`resource:162675146433353`
`AWS > S3 > Bucket > Approved` policy and sub-policy settings	`policyType:tmod:@turbot/aws-s3#/policy/types/bucketApproved`
`AWS > S3 > Bucket > Approved` policy settings (not `AWS > S3 > Bucket > Approved > *` sub-policy settings)	`policyType:tmod:@turbot/aws-s3#/policy/types/bucketApproved policyTypeLevel:self`
Settings on AWS policy types	`policyType:aws`
All settings for bucket policy types	`policyType:bucket`

You can use the policyValues filter to search and filter Policy Values in the Guardrails Console or GraphQL.

The policyValues filter supports the standard sort and limit keywords
You can search standard Guardrails metadata properties such as timestamp, updateTimestamp, etc. Note that you cannot search actorIdentityId or title in policyValues queries.
Full Text Search will search/filter both the Policy Value and the Resource

You can use Tag Filters. Note that the tag filters are Resource filters - they filter Policy Values on resources with these tags.
You can filter the scope with Hierarchy Scope Filters. Note that these are implicitly set when filtering the policies page in the Guardrails Console
The value keyword allows you to filter Policy Values set to a specific value
You can search and filter policy values by the policy value state using the state keyword. Possible values are:
- error
- invalid
- ok
- tbd

Aim	Filter text
Policy values set to 'Check: Enabled'	`value:'Check: Enabled'`
Policy values for resources with a department tag set to 'sales'	`tags:department=/^sales$/i`
Policy values that are not in an OK state	`state:-ok`
Policy values created/updated in the last day, newest first	`timestamp:>T-1d sort:-timestamp`
Policy values for a specific resources	`resource:162675146433353 level:self`
Policy values for a specific resource and descendant resources	`resource:162675146433353`
`AWS > EC2 > Instance > Active` policy and sub-policy values	`policyType:tmod:@turbot/aws-ec2#/policy/types/instanceActive`
`AWS > EC2 > Instance > Active` policy values (not `AWS > EC2 > Instance > Active > *` sub-policy values)	`policyType:tmod:@turbot/aws-ec2#/policy/types/instanceActive policyTypeLevel:self`
Policy values for AWS policy types	`policyType:aws`
Policy values for CIS policy types	`policyType:cis`